Authentication (Node.js Example)
The Consumer API uses OpenID Connect and OAuth 2.0 for authentication . This Quickstart guides you through making your first OpenID Connect authentication using our example project, Consumer API OpenID Connect Example.
Want to learn more about Authentication? See the Authentication topic for more details.
Prerequisites
Before you get started, you'll need to get these from the back office administrator at your financial institution who has access to Banno People.
If the administrator does not know where to do this, they can review the External application configuration article on the Banno Knowledge site.
- API Credentials
- User Account
API Credentials
You'll need API credentials to exercise the authorization flow. The Banno People administrator at your financial institution can provide you with a client_id and client_secret that you can use to access the Consumer API in your environment.
User Account
You'll need a user account to exercise the authorization flow with a test user.
Software Requirements
Node.js, npm, nvm
The example is built for Node.js and npm.
If you don't have these installed on your system already, you may want to install a Node Version Manager such as nvm.
Consumer API OpenID Connect Example
- Clone the Consumer API OpenID Connect Example repository.
git clone https://github.com/Banno/consumer-api-openid-connect-example.git
- Install project dependencies.
cd consumer-api-openid-connect-example
npm install
Running the Example (Locally)
- Complete the steps from the prerequisites section and navigate to the root folder
consumer-api-openid-connect-example/. - Start the server.
npm start
The server will now be running locally. You'll see this log statement in the terminal:
Environment: local
Server listening on https://localhost:8080...
- Go to https://localhost:8080/login.html in a web browser.
- Click on
Sign in with Bannoand sign in with your Banno Username and Password. You'll be redirected to https://localhost:8080/me and see the OpenID Connect claims for the user.
It'll look similar to this example:
{
"sub": "5cad5c30-6d24-11e9-870c-0242b78f8571",
"address": {
"locality": "Seattle",
"postal_code": "981090000",
"region": "WA",
"street_address": "400 Broad St"
},
"email": "rileydoe@jackhenry.dev",
"phone_number": "+15552368",
"birthdate": "1951-03-02",
"family_name": "Doe",
"given_name": "Riley",
"locale": "en-US",
"name": "Riley Doe",
"picture": "https://digital.garden-fi.com/a/consumer/api/node/public-profile-photo/dmF1bHQ6djE6bEhvR3NUa2dJNzUzOTFYNjd2cnRvRGE0ZUhIRm5MWGM0WGxybllIeDZHVEhpcVZ4KysxWmhVeC8vQWlFLzZZQTdKMjNhUURjUFNZRE5ONWpDczZEK3c9PQ==",
"preferred_username": "rileydoe",
"at_hash": "meToBgo7UfatG825BaaClQ",
"sid": "e10597ce-4b85-4a78-890b-55e2af751c9a",
"aud": "05166b79-4f61-484d-a4b4-2a225926bf4b",
"exp": 1571253248,
"iat": 1571249648,
"iss": "https://digital.garden-fi.com/a/consumer/api/v0/oidc"
}
You'll also see a log statement in the terminal that shows the access_token, id_token, and refresh_token:
TokenSet {
access_token: '<lengthy-json-web-token-string>',
expires_at: 1571334444,
id_token: '<lengthy-json-web-token-string>',
refresh_token: '<lengthy-json-web-token-string>',
scope: 'openid address email phone profile offline_access banno',
token_type: 'Bearer'
}
The access_token contains authorization information about your application regarding which actions it is allowed to perform via the Consumer API. These actions map to the scopes (e.g. openid address email phone profile banno).
The id_token contains authentication information about the user (i.e. claims).
The refresh_token is a credential that can be used to retrieve a new access token (e.g. for when the access token has expired or otherwise been invalidated).
Both the access_token and id_token are in JSON Web Token (JWT) format (see RFC 7519 for specification details).
CAUTION
JSON Web Tokens (JWTs) are credentials which can grant access to resources. It is important to keep them secret.
Next Steps
Congratulations! Continue your learning journey: