Transaction with Cronto Push
20.1.9. Transaction approval with Cronto Push

The following example illustrates transaction approval of an e-banking system that uses Airlock IAM for authentication and transaction approval with Cronto Push.

Flow diagram

Example 1: Transaction approval using Cronto Push

Example 1 - Transaction approval using Cronto Push
  • Authentication:
    • The user authenticates at Airlock IAM to access the e-banking system.
    • After successful authentication, the user ID is propagated to the e-banking system. This step may contain the AuthTokenId.
  • Transaction Approval:
    • The e-banking decides that a transaction needs to be verified
    • Step 1: Start transaction approval by identifying the user to IAM
    • Step 2: Send transaction details to the IAM transaction approval REST API
      • IAM pushes the transaction details to the user's phone
      • IAM answers the REST call and ask for an OTP code as offline alternative to push.
    • Step 3: E-banking polls at IAM until the user accepted or declined the transaction. It may also send the OTP entered by the user (offline fallback).

Configuration

The configuration is the same as in the mTan example except that the last step is a Cronto step:

81008304.png
Figure 4: 6

REST call sequence

The following REST call sequence shows how to use the transaction approval API from a REST client's point of view.

To keep the example simple and readable:

  • authentication information (e.g. Basic Auth header) and other HTTP headers are not shown.
  • an AuthTokenId is not used in this example
  • the user has just one cronto device - therefore no device selection step is shown
  • the user's cronto device allows "push"

Step 1 - HTTP Request - User identifying step

copy
POST https://internal-iam-host.com/auth-transaction-approval/rest/transaction-approval/user/identify/
{
    "username" : "jdoe"
}

Step 1 - HTTP Response - User identifying step

copy
HTTP/1.1 200 OK

{
    "meta": {
        "type": "jsonapi.metadata.document",
        "timestamp": "2018-11-13T13:36:25.542+01:00"
    },
    "data": {
        "type": "transaction-approval.session",
        "id": "714784845",
        "attributes": {
            "nextStep": "PARAMETERS_REQUIRED"
        }
    }
}

Step 2 - HTTP Request - Send transaction details

copy
POST https://internal-iam-host.com/auth-transaction-approval/rest/transaction-approval/parameters/
{
    "messageParameters" : 
    {
    	"accountNumber" : "0123456",
    	"amount" : "9999",
    	"currency" : "CHF"
    }
}

Step 2 - HTTP Response - Send transaction details

copy
HTTP/1.1 200 OK

{
    "meta": {
        "type": "jsonapi.metadata.document",
        "timestamp": "2018-11-13T13:36:41.796+01:00"
    },
    "data": {
        "type": "transaction-approval.session",
        "id": "714784845",
        "attributes": {
            "nextStep": "CRONTO_OTP_REQUIRED"
        }
    }
}

Start polling for the result:

Step 3 - HTTP Request - Cronto approval

copy
POST https://internal-iam-host.com/auth-transaction-approval/rest/transaction-approval/cronto/otp/poll/

Keep polling until approved or denied.