From Yodlee's put providerAccount API documentation here
It says that I have to pass in loginForm data along with user's credentials:
5. If the credentials have to be updated in the Yodlee system, one of the following should be provided as input to this service:
a. LoginForm
b. Field array
6. The loginForm or the field array are the objects under the provider object that is obtained from the get provider details service response.
7. The credentials provided by the user should be embedded in the loginForm or field array object.
Questions
Does this mean I am expected to save or somehow have user's bank credentials stored?
When I go through the refresh flow on Fastlink, it somehow pre-fills the credentials and all I have to do is just click continue; how does Fastlink do that? if Fastlink can do this, my guess is that there is a programmatic way to do this
PUT providerAccounts can be used for three things:
You can initiate an update an account, this means you are asking Yodlee to connect to the bank and retrieve the latest details using credentials that Yodlee already have for that user's account.
You can update credentials(equivalent to edit flow of Fastlink), this is used for updating the password into Yodlee system if the user has changed their password at the bank website.
You can pass MFA information if required(for MFA sites) while updating or editing accounts.
Though, to answer your question:
1: No, you should definitely not store user's bank credentials. If your need is just to update user's account, you can initiate that update without passing loginForm or fieldArray. And if the use case is that you need to update user's password, you should ask the user to provide their credentials at the runtime.
2: You should just call PUT without passing any loginForm, that's what Fastlink refresh flow does.
Related
We have implemented the Custom Auth Triggers as described link here. We have the user pool set up to let users log in with either phone number or email.
The provided case is - the user has email & phone both verified in their Cognito account
The problem I am having is determining what medium (email or phone number) the user signed in
When observing the event passed into the define / create/verify auth triggers, it seems like doesn't pass through what the username was used to initiate the authentication flow.. only the user attributes which in my case there could be both email or phone. I need to know which one it is so I know if I need to send the code through SMS or Email.
I also read about ClientMetadata this key we can pass from in InitiateAuthCommandInput but it will provide a client metadata key only below these triggers
Pre signup
Pre-authentication
User migration
but it will not provide ClientMetadata in these triggers
Post authentication
Custom message
Pre token generation
Create auth challenge
Define auth challenge
Verify auth challenge
After googling it too much, I found an article which had a tricky solution:
here is the link
I am not able to implement the provided solution.
I found a similar question in stack overflow too Link but there is also no answer, Can anyone please help me with this.
This is a workaround by adding a custom attribute during passwordless login
Actually, the authenticationUser function needs to identify whether the user is adding email or phone during login
Step 1: during login process, before calling initiateAuthCommand, First set a custom attribute in Cognito user object - logged_in_by - email or phone
Step 2: once you add a key after that InitiateAuthCommand will be started and call the triggers
Step 3:
When createAuthChallenge runs at the time we will have userAttributes.logged_in_by.
If this attribute contains email this indicates that the user is trying to login with the email and we need to send OTP over email.
If this attribute contains phone this indicates that the user is trying to log in with the phone and we need to send OTP over the phone number.
Account Linking provides several ways of linking users to their own accounts such as their Google account or Twitter account.
I chose OAuth in Actions on Google website to do OAuth 2.0 Authorization Code Grant for obtaining access token in exchange for data resources. When I linked a user to a Google account Google Sign-In enabled, the fetching of user information was easy because the data is stored under payload, but OAuth implementation does not seem like it produces user data under payload inside User object.
So should I make an API call to the third party to fetch the user data and store that personal data to a database in this case? I wondered if there is a way that Google prepares on behalf of developers. If not, then greeting a user who visits my app again by saying 'Hello, {person name}' gets tedious...
You have two options with Account Linking.
In the case you describe, you're providing an OAuth endpoint and getting an auth token from the Assistant, and you are responsible for taking this token and using it to determine who the user is so you can get whatever you know about him. The token is one that you issue and control, so presumably you have that info in your database already. If you are reusing a token from another service, that service should be able to tell you who they are.
It sounds like you're using using a Google Sign In, however, in which case it is easier to use Google Sign In for Assistant. Once the user has signed into your service (either through an app or webapp) and granted permission to your service, then they will also be able to gain access through the Assistant. You will get an id token which can be decoded to get profile information about the user including their Google ID and name.
I am working on Yoodle and I am logging into a provider which needs a dynamic token after the login in. When I fill out the form, my provider redirects to another page giving me a number to encrypter in a electronic device. The electronic device is a safenet.
I am trying to follow these instructions.
I don't know if I need to invoke again the POST /providers/providerAccount or invoke PUT /providers/providerAccount
Pass the provider's login form with valid credentials to POST /{cobrandName}/v1/providerAccounts (Add Account API).
You have to poll GET /{cobrandName}/v1/providerAccounts/{providerAccountId} (Get Provider Account Details API) until you get MFA form.
Pass the MFA form with valid values to PUT /{cobrandName}/v1/providerAccounts (Update Account API)
Finally poll GET /{cobrandName}/v1/providerAccounts/{providerAccountId} (Get Provider Account Details API) to get final account addition status.
I'm trying to make a check for a specific user logging into Instagram and approving an app I've created. Is this possible?
Example flow :
User comes to my app
User clicks login/authenticate via Instagram
User logs in (or check is made if user is logged in via Instagram)
User is redirected to my app's callback URI.
When the user gets back to my app I would like to be able to check which user has authenticated - is this possible? At present I'm only able to get an access token.
Thanks for any help.
I've actually solved this by using the server-side flow mentioned in the API documentation (http://instagram.com/developer/authentication/) which gives me back a response including the details of the user logged in if following the extra step (code->access_code application, etc).
I also figured out what you mention above too, so both ways are good.
Thanks for you help.
The information is not directly returned to you in the OAuth process, but once you have the access token you can load user information using the https://api.instagram.com/v1/users/self/?access_token=XXXX endpoint. That will give you data about the currently logged in user (including ID and username)
I am currently developing an app using the Google places API..
https://developers.google.com/places/documentation/
I want to use the Events methods, so that a Place/Business owner can add events..
https://developers.google.com/places/documentation/actions#event_intro
However I obviously need to restrict it, so that only the Business owner can create events for their Business. Is there anyway of authenticating a user via a Google api, to confirm that they are the Place owner? I looked at Google+ however there is no reference to any 'Places' setup by that user in the people request.
Looks like this is possible now. The workflow would be the following:
Your user triggers a places search and selects a specific place in the result
Your user selects an option in your app to claim they are the owner of your place
Your user is redirected into an OAuth flow to Google Places where they login with their Google credentials
Once authenticated, your app is provided with an OAuth token for the user
Your app submits that token along with a Place reference to a Places API owner verification service
The Places API returns a yes/no as to whether the user concerned is the verified owner of the Place
Source - https://code.google.com/p/gmaps-api-issues/issues/detail?id=3894 - comment #3
Enjoy!