Transaction approval with Cronto Push

The following example illustrates the transaction approval of an e-banking system that uses Airlock IAM for authentication and transaction approval with Cronto Push.

Transaction approval using Cronto Push

Example 1 - Transaction approval using Cronto Push
  1. Authentication:
  2. The user authenticates at Airlock IAM to access the e-banking system. After successful authentication, the user ID is propagated to the e-banking system. This step may contain the AuthTokenId.
  1. Transaction Approval:
  2. The user starts a transaction in the e-banking system and the e-banking system decides that the transaction needs to be verified and approved.
  3. The e-banking system selects the corresponding Airlock IAM transaction approval flow and identifies the user towards Airlock IAM.
  4. Airlock IAM asks for transaction data and receives these data together with the AuthTokenID from the e-banking system.
  5. Airlock IAM asks the e-banking system for an (offline fallback) OTP and pushes the transaction details to the user's mobile device. Note that depending on the Cronto Transaction Approval Step configuration, the information is pushed only to one or all mobile devices of the user.
  6. The e-banking system polls at Airlock IAM until the user accepts or declines the transaction. It may also send the OTP entered by the user (offline fallback).
  7. After the transaction approval, the e-banking system continues with the transaction processing.

Configuration

The configuration is the same as in the mTAN example except that the last step is a Cronto step:

Cronto Transaction Flow example configuration
  1. As described above the transaction approval process usually consists of the following steps:
  2. REST selection request of the back-end application – this has to be configured on the corresponding back-end.
  3. The User Identification Step, to identify the end-user in IAM.
  4. The Transaction Approval Parameter Step, in which the back-end sends transaction details to IAM.
  5. The Cronto Step for Transaction Approval Step, to verify the OTP code towards the corresponding back-end.

REST call sequence

The following REST call sequence shows how to use the transaction approval API from a REST client's point of view.

  • In this simplified example:
  • Authentication information (e.g. Basic Auth header) and other HTTP headers are not shown.
  • An AuthTokenId is not used in this example.
  • The user has just one cronto device - therefore no device selection step is shown.
  • The user's cronto device allows push.
Transaction-Approval-Cronto-Simple

According to the flow diagram above, the HTTP REST requests and responses are as follows:

Step

Request/response type

HTTP request/response

Step 1

HTTP request – Flow selection

POST https://internal-iam-host.com/auth-transaction-approval/rest/transaction-approval/flows/cronto-ta-flow/select/

HTTP response – Flow selection

HTTP/1.1 200 OK
{
  "meta": {
     "type": "jsonapi.metadata.document",
     "timestamp": "2021-11-09T16:29:14.484+01:00"
  },
  "data": {
     "type": "transaction-approval.session",
     "id": "627374595",
     "attributes": {
        "nextStep": "USERNAME_REQUIRED"
     }
  }
}

Step 2

HTTP request – User identifying step

POST https://internal-iam-host.com/auth-transaction-approval/rest/transaction-approval/end-user/identify/
{
    "end-username" : "jdoe"
}

HTTP response – User identifying step

HTTP/1.1 200 OK

{
    "meta": {
        "type": "jsonapi.metadata.document",
        "timestamp": "2021-11-09T16:29:24.484+01:00"
    },
    "data": {
        "type": "transaction-approval.session",
        "id": "714784845",
        "attributes": {
            "nextStep": "PARAMETERS_REQUIRED"
        }
    }
}

Step 3

HTTP request – Send transaction details

POST https://internal-iam-host.com/auth-transaction-approval/rest/transaction-approval/parameters/
{
    "messageParameters" : 
    {
    	"accountNumber" : "0123456",
    	"amount" : "9999",
    	"currency" : "CHF"
    }
}

HTTP response – Send transaction details

HTTP/1.1 200 OK

{
    "meta": {
        "type": "jsonapi.metadata.document",
        "timestamp": "2021-11-09T16:37:48.747+01:00"
    },
    "data": {
        "type": "transaction-approval.session",
        "id": "714784845",
        "attributes": {
            "nextStep": "CRONTO_OTP_REQUIRED"
        }
    }
}

Step 4

Start polling for the result (approval or denied)

POST https://internal-iam-host.com/auth-transaction-approval/rest/transaction-approval/cronto/otp/poll/

HTTP Response - Check OTP (on users' approval)

HTTP/1.1 200 OK

{
    "meta": {
        "type": "jsonapi.metadata.document",
        "timestamp": "2021-11-09T16:41:29.829+01:00"
    },
    "data": {
        "type": "transaction-approval.session",
        "id": "202408261",
        "attributes": {}
    }
}