Authentication
Plugins
built using the Plugin Framework
use the Authentication Framework to provide secure authentication.
See the Authentication Framework docs for details.
Cookies
The Plugin Framework
is implemented in Banno’s UI via iframes that render individual plugins
.
Web browsers have become increasingly restrictive on cross-site cookie tracking and this affects how cookies can be used within a plugin
.
Development
When developing a plugin
, you may want to set your browser settings as follows.
This is not a solution that will work for Production usage.
- For Chromium-based browsers, you’ll have to configure the browser to allow 3rd party cookies.
- For Firefox, you’ll have to enable 3rd party cookies.
- For Safari, you’ll have to disable the “Prevent cross-site tracking” option.
Production
When you are ready to use your plugin
in Production:
If you need to write a cookie in the plugin
, you’ll need to host your public-facing web server at a subdomain of the Banno Online domain name for your financial institution.
For example, assume you have the following URLs for your financial institution:
- Main (marketing) website:
https://www.institutionname.com
- Banno Online website:
https://banno.institutionname.com
You could host the plugin
at a subdomain named “plugin” which would give you:
- Plugin domain:
https://plugin.banno.institutionname.com
In our browser testing, this subdomain setup is recognized by all browsers and the cookies are not treated as 3rd party cookies.
Browsers and same-origin policy
When using subdomains to host your public-facing web server, keep in mind that browsers will enforce security mechanisms such as the same-origin policy.
Quoted from the same-origin policy docs on MDN Web Docs:
Definition of an origin
Two URLs have the same origin if the protocol, port (if specified), and host are the same for both. You may see this referenced as the “scheme/host/port tuple”, or just “tuple”. (A “tuple” is a set of items that together comprise a whole — a generic form for double/triple/quadruple/quintuple/etc.)
The following table gives examples of origin comparisons with the URL
http://store.company.com/dir/page.html
:
URL Outcome Reason http://store.company.com/dir2/other.html
Same origin Only the path differs http://store.company.com/dir/inner/another.html
Same origin Only the path differs https://store.company.com/page.html
Failure Different protocol http://store.company.com:81/dir/page.html
Failure Different port (http:// is port 80 by default) http://news.company.com/dir/page.html
Failure Different host
HTTPS, Certificates, and Certificate Authorities
You’ll have to take care to ensure that the Certificate Authority (CA) and intermediate certificates are configured correctly for your plugin
server’s SSL certificate.
An incorrect configuration may result in your plugin
’s content failing to display within Banno Online and Banno Mobile.
External Resources
If you want to learn more about handling cookies in your web browser, these external resources may be useful:
If you want to learn more about browser same-origin policy:
- MDN Web Docs: Same-origin policy