The following example illustrates the transaction approval of an e-banking system that uses Airlock IAM for authentication and transaction approval with Cronto Push.
Transaction approval using Cronto Push
- Authentication:
- The user authenticates at Airlock IAM to access the e-banking system. After successful authentication, the user ID is propagated to the e-banking system. This step may contain the AuthTokenId.
- Transaction Approval:
- The user starts a transaction in the e-banking system and the e-banking system decides that the transaction needs to be verified and approved.
- The e-banking system selects the corresponding Airlock IAM transaction approval flow and identifies the user towards Airlock IAM.
- Airlock IAM asks for transaction data and receives these data together with the AuthTokenID from the e-banking system.
- Airlock IAM asks the e-banking system for an (offline fallback) OTP and pushes the transaction details to the user's mobile device.
- The e-banking system polls at Airlock IAM until the user accepted or declined the transaction. It may also send the OTP entered by the user (offline fallback).
- After the transaction approval, the e-banking system continues with the transaction processing.
Configuration
The configuration is the same as in the mTAN example except that the last step is a Cronto step:
- As described above the transaction approval process usually consists of the following steps:
- REST selection request of the back-end application – this has to be configured on the corresponding back-end.
- The User Identification Step, to identify the end-user in IAM.
- The Transaction Approval Parameter Step, in which the back-end sends transaction details to IAM.
- The Cronto Step for Transaction Approval Step, to verify the OTP code towards the corresponding back-end.
REST call sequence
The following REST call sequence shows how to use the transaction approval API from a REST client's point of view.
- In this simplified example:
- Authentication information (e.g. Basic Auth header) and other HTTP headers are not shown.
- An AuthTokenId is not used in this example.
- The user has just one cronto device - therefore no device selection step is shown.
- The user's cronto device allows push.
According to the flow diagram above, the HTTP REST requests and responses are as follows:
Step | Request/response type | HTTP request/response |
---|---|---|
Step 1 | HTTP request – Flow selection | POST https://internal-iam-host.com/auth-transaction-approval/rest/transaction-approval/flows/cronto-ta-flow/select/ |
HTTP response – Flow selection | HTTP/1.1 200 OK { "meta": { "type": "jsonapi.metadata.document", "timestamp": "2021-11-09T16:29:14.484+01:00" }, "data": { "type": "transaction-approval.session", "id": "627374595", "attributes": { "nextStep": "USERNAME_REQUIRED" } } } | |
Step 2 | HTTP request – User identifying step | POST https://internal-iam-host.com/auth-transaction-approval/rest/transaction-approval/end-user/identify/ { "end-username" : "jdoe" } |
HTTP response – User identifying step | HTTP/1.1 200 OK { "meta": { "type": "jsonapi.metadata.document", "timestamp": "2021-11-09T16:29:24.484+01:00" }, "data": { "type": "transaction-approval.session", "id": "714784845", "attributes": { "nextStep": "PARAMETERS_REQUIRED" } } } | |
Step 3 | HTTP request – Send transaction details | POST https://internal-iam-host.com/auth-transaction-approval/rest/transaction-approval/parameters/ { "messageParameters" : { "accountNumber" : "0123456", "amount" : "9999", "currency" : "CHF" } } |
HTTP response – Send transaction details | HTTP/1.1 200 OK { "meta": { "type": "jsonapi.metadata.document", "timestamp": "2021-11-09T16:37:48.747+01:00" }, "data": { "type": "transaction-approval.session", "id": "714784845", "attributes": { "nextStep": "CRONTO_OTP_REQUIRED" } } } | |
Step 4 | Start polling for the result (approval or denied) | POST https://internal-iam-host.com/auth-transaction-approval/rest/transaction-approval/cronto/otp/poll/ |
HTTP Response - Check OTP (on users' approval) | HTTP/1.1 200 OK { "meta": { "type": "jsonapi.metadata.document", "timestamp": "2021-11-09T16:41:29.829+01:00" }, "data": { "type": "transaction-approval.session", "id": "202408261", "attributes": {} } } |