Getting Started
What is it?
The Authentication Framework protects access to user data via modern, battle-tested, tech industry standards such as OAuth and OpenID Connect, which we continue to update as those standards evolve.
The Authentication Framework is also how you can securely map Banno’s customer identifiers to your existing system identifiers.
What is its purpose?
The Authentication Framework is the underlying foundation for every part of the Toolkit (i.e. the Consumer API, Plugin Framework, and Admin API).
Quickstarts
How do I get help?
- Register for the Digital Toolkit Meetup where we answer technical Q&A from the audience.
- Join the community using the official tag on Stack Overflow.
How do I use it?
These are some of the things you should know about the Authentication Framework.
Architecture
The Authentication Framework is based on the industry standard OAuth 2.0 and OpenID Connect architecture.
OAuth 2.0 and OpenID Connect
The Authentication Framework protects user data using the OAuth 2.0 industry standard. With OAuth, users can delegate scoped access to third parties who wish to act on the user’s behalf. The user’s login credentials are never shared with the third party. Instead, authorization is provided to third party apps via an access token.
The Authentication Framework provides user identity information using the OpenID Connect (OIDC) industry standard. OpenID Connect is an identity layer built on top of the OAuth 2.0 protocol. With OpenID Connect, third party apps are provided authenticated information about the user in the form of an identity token.
Proof Key for Code Exchange (PKCE)
Now that the OAuth 2.1 draft specification has added requirements for PKCE, our v0 auth endpoints now also require it. More details about PKCE can be found here: https://auth0.com/docs/flows/authorization-code-flow-with-proof-key-for-code-exchange-pkce.
We also have a migration guide for transitioning your existing applications.
Tokens
OAuth 2.0 and OpenID Connect are based on the concept of tokens. There are 3 main types:
- Access Token
- Identity Token
- Refresh Token
Permissions flow
The Authentication Framework grants data permissions based on granular request scopes and claims, which provide limited access to specific data on a per-user basis.
Financial institutions are empowered to make choices about the data that gets shared with 3rd party developers.
Mapping data to other systems
The Authentication Framework is how you can securely map Banno’s customer identifiers to your existing system identifiers.
The Authentication Framework supports standard OpenID Connect claims which include (but are not limited to):
- Given name
- Family name
- Phone
- Address
The Authentication Framework also supports additional claims that are specific to Banno which include (but are not limited to):
- Unique customer identifier
- CIF (banks)
- Member number (credit unions)
- NetTeller ID (banks)
- Tax ID (or SSN)
How have others used it?
These are some of the ways that 3rd party developers have used the Authentication Framework:
- Cross reference users with an existing ad targeting system to provide offers tailored to individual users
- Simplify and prefill a loan application form
- Enable developers to securely access and share financial data via a secure data access network
Additional details
These are some additional details that you may find useful as you build your apps.
External resources for OAuth 2.0 and OpenID Connect
If you want to learn more about OAuth 2.0 and OpenID Connect, these external resources may be useful:
- Guide: An Illustrated Guide to OAuth and OpenID Connect
- Video: OAuth 2.0 and OpenID Connect (in plain English)
- Article: OpenID Connect explained
- Spec: OpenID Connect Core 1.0 incorporating errata set 1
Other “getting started” pages
These pages will help you get started with other parts of the Digital Toolkit: