Generate strong access token

📘

Strong customer authentication

Strong Customer Authentication (SCA) is a critical security protocol designed to protect financial transactions from fraud and unauthorised access. In the context of NoFrixion's MoneyMoov API, SCA is implemented to ensure the highest level of security during the payout process. This section explains how SCA works in our system and the steps involved in the authentication process.

What is Strong Customer Authentication?
SCA is a requirement of the PSD2 regulation in the European Union. It mandates a two-factor authentication process for online payments and financial transactions. This means that to complete a transaction, a user must provide at least two of the following three forms of identification:

Knowledge: Something only the user knows (e.g., a password or PIN).
Possession: Something only the user possesses (e.g., a mobile phone or security token).
Inherence: Something inherent to the user (e.g., a fingerprint or facial recognition).

Pre-requisites

1. Set up MFA on NoFrixion Identity Server

Before an authoriser can authorise an entity in MoneyMoov, they must set up MFA on the NoFrixion Identity Server. Here's how this is done:

  1. Navigate to NoFrixion Identity server's Manage your account page.
  2. Setup a security key or one time password under Two-factor authentication section.

1. Generate authorisation link

In MoneyMoov, certain entities require authorisation through strong customer authentication. Following are the steps to generate an authorisation link, which authorisers use to review the entity and authorise requests. It ensures a streamlined and secure process for submitting the entity for processing.

i. Authorisation type

In MoneyMoov, entity types that necessitate this level of authorisation are:

  • Payout
  • BatchPayout
  • Beneficiary
  • Rule

To authorise these entities, a query parameter named ApprovalType must be included in your request, set to one of these specific entity types.

ii. Callback URL

This is the url on your server that NoFrixion Identity server will call with the OAuth authorisation code and state set. Example: https://yourserver.com/NoFrixion/Authorise/Callback. Query parameters to this url are as follows:

  1. code: If successful this will contain the OAuth2 code that can be used to acquire an access token from the identity server.
  2. state: If successful this will contain the OAuth2 state that can be used to verify the callback in response to a genuine authorisation generated from your application.
  3. id: Only set if the callback is for a cancellation and contains the ID of the entity that was being authorised.
  4. approveType: Only set if the callback is for a cancellation and contains the type of authorisation that was taking place. Refer (i) Authorisation type for the values this can contain.
  5. cancelled: Set to true if the authorisation operation was cancelled.

iii. State

The state parameter is used in OAuth and OpenID Connect authentication flows. It helps in preventing CSRF attacks. By verifying that the state in the response matches the state sent in the request, the application ensures that the response is to the request it made and not a forged request. When the state is passed as a query parameter to the NoFrixion identity server, it is part of an authentication request. The identity server will send back this state value in its response. Your application will then validate this returned state against the one it sent to ensure the authenticity and integrity of the response.

iv. Client ID

The Client ID is a unique identifier for your application on NoFrixion's identity server, essential for implementing the OAuth2 authentication flow. It ensures secure communication between your app and NoFrixion's server. If you don't have a Client ID, you can obtain one by contacting NoFrixion's support team at [email protected], necessary for accessing their services securely.

v. Generate authorisation link

Once you've gathered all the necessary parameters, you can generate the authorisation link using this format: https://identity-sandbox.nofrixion.com/approve?ClientID=[CLIENT_ID]&State=[STATE]&ReturnUrl=[CALLBACK_URL]

public string GenerateAuthorizationUrl()
{
    var urlBuilder = new StringBuilder();

    urlBuilder.Append($"https://identity-sandbox.nofrixion.com/approve");
    urlBuilder.Append($"?ClientID=<CLIENT_ID>");
    urlBuilder.Append($"&State={<YOUR_APPLICATION_ARBITRARY_STATE>}");
    urlBuilder.Append($"&ReturnUrl={<YOUR_SERVER_CALLBACK_URL>}");

    return urlBuilder.ToString();
}
function generateAuthorizationUrl() {
    const clientId = "<CLIENT_ID>"; // Replace with your client ID
    const state = "<YOUR_APPLICATION_ARBITRARY_STATE>"; // Replace with your application's arbitrary state
    const returnUrl = "<YOUR_SERVER_CALLBACK_URL>"; // Replace with your server's callback URL

    // Constructing the URL
    let urlBuilder = "https://identity-sandbox.nofrixion.com/approve";
    urlBuilder += `?ClientID=${encodeURIComponent(clientId)}`;
    urlBuilder += `&State=${encodeURIComponent(state)}`;
    urlBuilder += `&ReturnUrl=${encodeURIComponent(returnUrl)}`;

    return urlBuilder;
}

// Example usage
console.log(generateAuthorizationUrl());

def generate_authorization_url():
    base_url = "https://identity-sandbox.nofrixion.com/approve"
    client_id = "<CLIENT_ID>"  # Replace with your actual Client ID
    state = "<YOUR_APPLICATION_ARBITRARY_STATE>"  # Replace with your state value
    return_url = "<YOUR_SERVER_CALLBACK_URL>"  # Replace with your server callback URL

    # Constructing the URL
    url = f"{base_url}?ClientID={client_id}&State={state}&ReturnUrl={return_url}"

    return url

# Example usage
auth_url = generate_authorization_url()
print(auth_url)

2. Authorise the entity to receive OAuth authentication code

In this step, an authoriser visits the link generated in step 1 to verify the information about the entity they're about to authorise. This process involves checking the specifics of the entity to ensure it's correct and safe. Once satisfied, they grant permission to the entity. Subsequently, this action triggers a response to the previously mentioned callback URL (from step 1), including specific query parameters as outlined. This step is crucial for completing the OAuth authentication process, where the entity is officially authorized to receive an authentication code.

3. Requesting strong access token

After receiving the OAuth authorisation code and state from NoFrixion's identity server, you can request an access token by providing your client ID, secret, and the received code. This access token is special and is necessary to securely submit a payout. With this token, you're enabled to make an API request to process the payout.

NoFrixion identity server token URL: https://identity-sandbox.nofrixion.com/connect/token