-
Notifications
You must be signed in to change notification settings - Fork 431
Beyond Banking OAuth2 Login
OAuth 2 is an authorization framework that enables applications to obtain limited access to user accounts on an HTTP service, in this case any OBP REST call. It works by delegating user authentication to the service that hosts the user account, and authorizing third-party applications to access the user account. OAuth 2 provides authorization flows for web and desktop applications, and mobile devices.
- Resource Owner
- Client
- Resource Server
- Authorization Server
The resource owner is the user who authorizes an application to access their account. The application's access to the user's account is limited to the "scope" of the authorization granted (e.g. openid).
The authorization server verifies the identity of the user then issues access tokens to the application. E.g. MITREid Connect
The resource server hosts the protected user resources. E.g. OBP-API
The client is the application that wants to access the user's resource. In order to do that, it must be authorized by the user, and the authorization must be validated by the Authorization Server: API.
OAuth 2 defines four grant types, each of which is useful in different cases:
- Authorization Code: used with server-side Applications
- Implicit: used with Mobile Apps or Web Applications (applications that run on the user's device)
- Resource Owner Password Credentials: used with trusted Applications, such as those owned by the service itself
- Client Credentials: used with Applications API access
OBP-API supports at the moment only Authorization Code
At next page: https://beyondbanking-oauth2.openbankproject.com/manage/dev/dynreg
Mandatory fields at Main tab:
- Client name
- Redirect URI(s)
Mandatory fields at Access tab:
- Scope
- Grant Types
Using your favorite web browser request a URL like this one: https://beyondbanking-oauth2.openbankproject.com/authorize?response_type=code&client_id=client&redirect_uri=https://YOUR-APPLICATION.com/&scope=openid
It is assumed that you are already logged at server https://beyondbanking-oauth2.openbankproject.com.
In case you are NOT you will be redirected to this login page https://beyondbanking-oauth2.openbankproject.com/login. Please note that user credentials are the same as at instance: Beyond Banking
Here is an explanation of the link components:
- https://beyondbanking-oauth2.openbankproject.com/authorize: the API authorization endpoint
- client_id=client_id: the application's client ID (how the API identifies the application)
- redirect_uri=CALLBACK_URL: where the service redirects the user-agent after an authorization code is granted
- response_type=code: specifies that your application is requesting an authorization code grant
- scope=openid: specifies the level of access that the application is requesting
If the user clicks "Authorize Application", the service redirects the user-agent to the application redirect URI, which was specified during the client registration, along with an authorization code.
https://YOUR-APPLICATION.com/&scope=openid/?code=AUTHORIZATION_CODE
The redirect would look something like this: https://YOUR-APPLICATION.com/&scope=openid/?code=h7jSgP
The application requests an access token from the API, by passing the authorization code along with authentication details, including the client secret, to the API token endpoint.
If the authorization is valid, the API will send a response containing the access token to the application. The entire response will look something like this:
{
"access_token": "eyJraWQiOiJyc2ExIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJtYXJrby5taWxpYyIsImF6cCI6ImU3ZjI3NWE0LWQxOWYtNGFjZC1hMWE0LTBiOTRkOTU4ZjViZiIsImlzcyI6Imh0dHBzOlwvXC9iZXlvbmRiYW5raW5nLW9hdXRoMi5vcGVuYmFua3Byb2plY3QuY29tXC8iLCJleHAiOjE1Mjc3ODQ5MzIsImlhdCI6MTUyNzc4MTMzMiwianRpIjoiNzg5NmI4OTItYzFhOS00OTRkLThhNzktZWI2YTYxMDM1NTc5In0.Y1QXe68xDW7YjfgfY_LDSprM4he7n2jMDSE6jZOwsoIeu_GLqjbeBki6--nLIB964I6B2E303ccXzPBVI_s7ky5k8X4UxNH_hb9rqbegV96GNL54kinQWqSk2X0IdzQ4tCZybtwgERFDgc4NlSLxook2RE1LzETIoCpzI6Qlc4hkk3y7ENM9dqDCXp9E-v8f76EFAjmrN6vDOlHAFn3rP07os2EAVQH13_yrwJkOc-dqB00KAnoi9ypGmh3BrTohz1IE4RPqajq8rLWiJouu_hKyElpvTfC-fNMF4Uo0kfZKSvsidP8NjhEwUL9elfDIgpclZqo27ZNCypZ8PK19aQ",
"token_type": "Bearer",
"expires_in": 3599,
"scope": "openid",
"id_token": "eyJraWQiOiJyc2ExIiwiYWxnIjoiUlMyNTYifQ.eyJhdWQiOiJlN2YyNzVhNC1kMTlmLTRhY2QtYTFhNC0wYjk0ZDk1OGY1YmYiLCJhdXRoX3RpbWUiOjE1Mjc3Nzk0MDQsImtpZCI6InJzYTEiLCJpc3MiOiJodHRwczpcL1wvYmV5b25kYmFua2luZy1vYXV0aDIub3BlbmJhbmtwcm9qZWN0LmNvbVwvIiwiZXhwIjoxNTI3NzgxOTMyLCJpYXQiOjE1Mjc3ODEzMzIsImp0aSI6IjAwNmNkOWQwLTNhZjgtNGQyYy05YTcyLTc1MjNjN2Q2ZGE0NyJ9.kJAr2tdFBdd7AZ6IQVNXID9vm0aLGyFvsbLFU8TCX9PQlL2K_6dVZ0GmOur5sRKCy-25xthRQgCFxbN1vld4MN_C1wT_zE2f2zrQlZ2bX_M7KKfbsxVSueq3hkJw7X-lxsTHQyU9jXsHJHl1bYX80XvkSmKxm1U-_CL_RM4YLbrsS-l-epugA1cj7mokxQlUWXIniLfFretnCjd9Ca_NDNESoxqIjhIfP6w_uSloV67wbNm2-Nid1bbLz1VsJwho5hSj2tBNSkEQggAJg-Vd6JGMp-bDt1x0yDNKAjDEGGUG84rfbom6-AwxPEHV2xh1QIF1bxtuZf8IevO18txkow"
}
Using your favorite http client:
GET /obp/v3.0.0/users/current
Body
Leave Empty!
Headers:
Authorization: Bearer ACCESS_TOKEN
Here is it all together:
GET /obp/v3.0.0/users/current HTTP/1.1 Host: localhost:8080 User-Agent: curl/7.47.0 Accept: / Authorization: Bearer "eyJraWQiOiJyc2ExIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJhZG1pbiIsImF6cCI6ImNsaWVudCIsImlzcyI6Imh0dHA6XC9cL2xvY2FsaG9zdDo4MDgwXC9vcGVuaWQtY29ubmVjdC1zZXJ2ZXItd2ViYXBwXC8iLCJleHAiOjE1MTk1MDMxODAsImlhdCI6MTUxOTQ5OTU4MCwianRpIjoiMmFmZjNhNGMtZjY5Zi00ZWM1LWE2MzEtYWUzMGYyYzQ4MjZiIn0.NwlK2EJKutaybB4YyEhuwb231ZNkD-BEwhScadcWWn8PFftjVyjqjD5_BwSiWHHa_QaESNPdZugAnF4I2DxtXmpir_x2fB2ch888AzXw6CgTT482I16m1jpL-2iSlQk1D-ZW6fJ2Qemdi3x2V13Xgt9PBvk5CsUukJ8SSqTPbSNNER9Nq2dlS-qQfg61TzhPkuuXDlmCQ3b8QHgUf6UnCfee1jRaohHQoCvJJJubmUI3dY0Df1ynTodTTZm4J1TV6Wp6ZhsPkQVmdBAUsE5kIFqADaE179lldh86-97bVHGU5a4aTYRRKoTPDltt1NvY5XJrjLCgZH8AEW7mOHz9mw"
CURL example:
curl -v -H 'Authorization: Bearer "eyJraWQiOiJyc2ExIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJhZG1pbiIsImF6cCI6ImNsaWVudCIsImlzcyI6Imh0dHA6XC9cL2xvY2FsaG9zdDo4MDgwXC9vcGVuaWQtY29ubmVjdC1zZXJ2ZXItd2ViYXBwXC8iLCJleHAiOjE1MTk1MDMxODAsImlhdCI6MTUxOTQ5OTU4MCwianRpIjoiMmFmZjNhNGMtZjY5Zi00ZWM1LWE2MzEtYWUzMGYyYzQ4MjZiIn0.NwlK2EJKutaybB4YyEhuwb231ZNkD-BEwhScadcWWn8PFftjVyjqjD5_BwSiWHHa_QaESNPdZugAnF4I2DxtXmpir_x2fB2ch888AzXw6CgTT482I16m1jpL-2iSlQk1D-ZW6fJ2Qemdi3x2V13Xgt9PBvk5CsUukJ8SSqTPbSNNER9Nq2dlS-qQfg61TzhPkuuXDlmCQ3b8QHgUf6UnCfee1jRaohHQoCvJJJubmUI3dY0Df1ynTodTTZm4J1TV6Wp6ZhsPkQVmdBAUsE5kIFqADaE179lldh86-97bVHGU5a4aTYRRKoTPDltt1NvY5XJrjLCgZH8AEW7mOHz9mw" http://localhost:8080/obp/v3.0.0/users/current
Configure OBP API to accept OAuth2 Login.
# -- OAuth 2 --------------------------------------------------------------------
# Enable/Disable OAuth 2 workflow at a server instance
# In case isn't defined default value is false
# allow_oauth2_login=true
# oauth2.jwt.use.ssl=true
# URL of Public server JWK set used for validating bearer JWT access tokens
# oauth2.jwk_set.url=https://beyondbanking-oauth2.openbankproject.com/jwk.json
# ----------------------------------------------------------- OAuth 2 -----------
# Paths to the SSL keystore files - has to be jks
#keystore.path=/path/to/api.keystore.jks
#keystore.password = redf1234
#keystore.passphrase = redf1234
#keystore.alias = localhost
Typical endpoint response of URL of Public server JWK set used for validating bearer JWT access tokens :
{
"keys": [
{
"kty": "RSA",
"e": "AQAB",
"kid": "rsa1",
"alg": "RS256",
"n": "qt6yOiI_wCoCVlGO0MySsez0VkSqhPvDl3rfabOslx35mYEO-n4ABfIT5Gn2zN-CeIcOZ5ugAXvIIRWv5H55-tzjFazi5IKkOIMCiz5__MtsdxKCqGlZu2zt-BLpqTOAPiflNPpM3RUAlxKAhnYEqNha6-allPnFQupnW_eTYoyuzuedT7dSp90ry0ZcQDimntXWeaSbrYKCj9Rr9W1jn2uTowUuXaScKXTCjAmJVnsD75JNzQfa8DweklTyWQF-Y5Ky039I0VIu-0CIGhXY48GAFe2EFb8VpNhf07DP63p138RWQ1d3KPEM9mYJVpQC68j3wzDQYSljpLf9by7TGw"
}
]
}