Introduction to OAuth 2
OAuth 2 is the industry-standard protocol for authorization. It allows apps to access user data on another system in a secure, controlled manner without exchanging passwords. An analogy is giving out a passcode that only allows access to your garage instead of a master key to your entire house. You’re only granting access to specific resources, and that access can be easily revoked at any time.
Definitions
- Client. This is the app requesting access to financial data (your app in this case)
- Resource server. The server storing the financial data your app wants to obtain. In this case, the resource server is at Mikomo Financial.
- Authorization server. The server that handles permission granting (Mikomo’s server in this case).
How does it work?
There are several different types of OAuth flows. Akoya uses a three-legged OAuth process. We’ll illustrate this using the example of our fictitious end-user Emily granting permission for her financial institution to share data with your app via Akoya:
- Authorization request. The user initiates the process. The client (your app) sends Emily via Akoya to Mikomo’s authorization server, where she’s asked to grant specific permissions for her bank account data.
- Authorization code issued. Mikomo’s authorization server sends an authorization code by redirecting Emily’s browser to your page (redirect URI) with the auth code as a query param.
- Auth code exchanged for ID token. Your app exchanges the authorization code for an ID token. This token acts as that temporary passcode to your garage, except in this case, the garage is the account data that Emily has granted permission to share.
What is a redirect URI?
A redirect URI is one or more endpoints in your application where the user is sent after the resource server has granted (or not granted) access to data.
Per OAuth requirements your redirect should:
- Be encrypted and secure (HTTPS).
- Be registered in the Data Recipient Hub.
Why are registered redirect URIs important?
Redirect URIs prevent:
- Redirection to malicious endpoints.
- Cross-site scripting (XSS) attacks.
Resources
Change log
Date | Update |
---|---|
20241-Aug-06 | Added dev help resources. |
2024-Aug-02 | Original |
Need help?
Check out our Developer Community, or visit the Support Center in the Data Recipient Hub.
Looking for provider nuance documentation?
All provider nuance documentation is available in the Data providers section in the Data Recipient Hub.
Still stuck?
For all production issues, submit a support ticket through the Data Recipient Hub. Our support team is standing by 24/7. Questions and non-production issues will be answered during business hours.
Updated 5 months ago