Launch the SDK
In order to enter the Impact Finance user experience, the Bank App must provide two things:
- An ID Token as proof of identity and authentication of the End User, and
- a locale code specifying which language to present to the End User.
Using the SDKs, this data is provided as arguments to the launch
method.
Without the SDKs, the same effect can be achieved by by opening a Webview or
iframe with a POST
request to /users/verify_token
with token
and locale
in the request body.
Optionally, a location
can also be provided to deep link into a particular
part of the experience.
After successful token verification, the Impact Finance Web App will issue a session cookie
and redirect the user to either a default or the provided location.
Authentication
We rely on your existing authentication of your customers. Proof of identity and authentication is passed to the Impact Finance Web app via OpenID Connect ID Tokens.
The ID Token should be in the form of a signed (and optionally encrypted) JSON Web Token (JWT), containing the following minimal set of claims to limit data exposure:
iss
: Issuer Identifier for your Authorization Server. It is communicated out-of-band (configured in DEPo) during integration.sub
: Subject Identifier, i.e. anid
for the authenticated End User. If possible, we recommend using a Pairwise Pseudonymous Identifier (PPID).aud
: Audience that this ID Token is intended for. It is communicated out-of-band (configured in DEPo) during integration.exp
: Expiration time, after which the token will not be valid. Also, see token-renewed sessions on how this value affects session duration.iat
: Time at which the JWT was issued.
To improve the user experience of Shared Dreams ("Group Dreams"), the following additional claims should be provided:
given_name
: Given name(s) or first name(s) of the End User.family_name
: Surname(s) or last name(s) of the End-User. To limit data exposure, it's enough to give away the first letter of the family name.
DES expects asymmetric token signatures, with a public key set exposed at a public JWKS endpoint. This endpoint is is configurable in DEPo.
Sequence Diagram
Example authentication using OpenID Connect
Although the ID Tokens must adhere to OpenID Connect standard, it's entirely up to you how you choose to create them (through some OpenID Connect standard flow or through some other custom means). Assuming that your Bank App is a native mobile application though, we provide an example using the OpenID Connect Authorization Code Flow with Proof Key for Code Exchange (PKCE) below:
- We assume that the End User is already logged in to your Bank App, and that this means that a session is established with the Authorization Server that will be used to generate ID Tokens for the Impact Finance Web App.
- Using PKCE, there is no need to store a client secret in the Bank App, nor use the unsafe implicit flow. Instead, a temporary Code Verifier and a Code Challenge is generated by the Bank App. Furthermore, it's assumed that a dedicated Client ID exists for the purpose of generating tokens for the Impact Finance Web App. (This is important to make sure that the ID Tokens cannot be used for anything else than authentication in DES.)
- The Bank App sends an Authorization Code Request
to the Authorization Server with the additional
code_challenge
parameter. To ensure a seamless user experience where the End User is not even aware that the Impact Finance Web App is hosted outside of their Bank App, it is important to make sure that this request can be processed without asking the End User for neither authentication nor consent. Different Authorization Servers handle this differently. In some cases an organization-wide consent can be configured. In others it might be a good idea to specifyprompt=none
to tell the Authorization Server to skip the consent step. This, together with the assumption that the End User already has an authenticated session established (step 1), should ensure that the Authorization Code Request can be handled fully behind the scenes without involving the End User. - Authorization Server responds with a
code
. - The Bank App gets the ID Token from the Authorization Server by sending a
Token Request
with the additional
code_verifier
parameter. - The Authorization Server verifies the code_verifier before...
- ...returning the ID Token.
- The Bank App can now launch the Impact Finance Web App, by handing the ID Token to the SDK.
- Behind the scenes, this means a
POST
request to to/users/verify_token
withtoken
andlocale
in the request body. - The DES Backend fetches the public key corresponding to the asymmetric key pair used to sign the ID Token.
- The DES Backend validates the token, issues a session cookie and redirects into the Web App upon success.