Skip to main content

Example Authentication using OpenID Connect

Although the ID Tokens must adhere to OpenID Connect standard, it's entirely up to you how you choose to create them (through some OpenID Connect standard flow or through some other custom means). Assuming that your Bank App is a native mobile application though, we provide an example using the OpenID Connect Authorization Code Flow with Proof Key for Code Exchange (PKCE) below:

  1. We assume that the End User is already logged in to your Bank App, and that this means that a session is established with the Authorization Server that will be used to generate ID Tokens for the Impact Finance Web App.
  2. Using PKCE, there is no need to store a client secret in the Bank App, nor use the unsafe implicit flow. Instead, a temporary Code Verifier and a Code Challenge is generated by the Bank App. Furthermore, it's assumed that a dedicated Client ID exists for the purpose of generating tokens for the Impact Finance Web App. (This is important to make sure that the ID Tokens cannot be used for anything else than authentication in DES.)
  3. The Bank App sends an Authorization Code Request to the Authorization Server with the additional code_challenge parameter. To ensure a seamless user experience where the End User is not even aware that the Impact Finance Web App is hosted outside of their Bank App, it is important to make sure that this request can be processed without asking the End User for neither authentication nor consent. Different Authorization Servers handle this differently. In some cases an organization-wide consent can be configured. In others it might be a good idea to specify prompt=none to tell the Authorization Server to skip the consent step. This, together with the assumption that the End User already has an authenticated session established (step 1), should ensure that the Authorization Code Request can be handled fully behind the scenes without involving the End User.
  4. Authorization Server responds with a code.
  5. The Bank App gets the ID Token from the Authorization Server by sending a Token Request with the additional code_verifier parameter.
  6. The Authorization Server verifies the code_verifier before...
  7. ...returning the ID Token.
  8. The Bank App can now launch the Impact Finance Web App, by handing the ID Token to the SDK.
  9. Behind the scenes, this means a POST request to to /users/verify_token with token and locale in the request body.
  10. The DES Backend fetches the public key corresponding to the asymmetric key pair used to sign the ID Token.
  11. The DES Backend validates the token, issues a session cookie and redirects into the Web App upon success.