Permissions Flow
What is the permissions flow?
We have created a comprehensive consent flow as a way for Banno, financial institutions, and users to provide data permissions to third party applications. Permissions are granted based on granular requests
scopes
and claims
, which provide limited access to specific data on a per user basis.
- Banno Platform: At the platform level Banno restricts data based on the endpoints available on the Banno Open API as well as specify which
scopes
andclaims
are necessary on a per-endpoint basis. - Financial institutions : We allow financial institutions to specify the type of data available for all customers they serve. This allows financial institutions to limit data access across the entirety of their user base.
- 3rd Party Developers: Permissions are also defined by the
scopes
andclaims
a developer requests on a per user basis. If the app doesn’t request specificscopes
andclaims
then the related data will not be included in the response. - End User: At the user level permission is either granted or denied based on the authentication
scopes
requested by the application. Users are presented with a consent screen to grant or deny the permission requests.
If consent is declined at any level, then that specific data will not be available to the 3rd party application. Because of this, applications should be designed to withstand such changes.
Scopes
Scopes
enable your application to access specific API endpoints on behalf of a user. The set of scopes
you pass in your initial authorization request determines the access permissions the user is required to grant. Each endpoint in our Consumer API Reference will include any required scopes
.
Claims
Claims
allow access to authenticated information about a user. More information about claims
is available in the Authentication Framework docs.
Consent Experience
The consent experience has two parts:
- Approval Flow
- Connected Apps
The Approval Flow is what a user will see when granting (or re-granting) consent.
The user can view which apps have been granted consent, the kind of consent granted, and revoke consent at any time in their list of Connected Apps.
Approval Flow
For end users, when authenticating with your application for the first time (or anytime you update your requested scopes
or claims
) they will be met with an approval flow to consent to share specific data with your app. The consent screen will cover any scopes
and claims
that your application has requested.
It is suggested that you limit your requested access to only data elements that you specifically need.
Connected Apps
Security Settings
The user can find their Connected Apps as part of their Security settings.
List of Connected Apps
The user can view their list of Connected Apps at a glance.
View a Connected App
The user can view the specific details for a Connected App including the kind of consent granted.
The user can also revoke consent at any time.