I need your help regarding MFA flow. Could you tell me please if there is a list of institutions, that use MFA, or if it is possible to get it?
I have found site, that looks like it had MFA, at least it has such data within response (siteSearchString)
"mfaType":{"typeId":4,"typeName":"SECURITY_QUESTION"},"mfaCoverage":"FMPA"
But when I'm getting site login form with this siteID, I'm getting simple login form with
"isMFA": false
When I try to addSiteAccount using this siteId, I'm getting this error:
{
"errorOccurred": "true",
"exceptionType": "com.yodlee.core.IllegalArgumentValueException",
"referenceCode": "_23e71a23-4298-4d86-9271-be9ada8892b0",
"message": "Multiple exceptions encapsulated within: invoke getWrappedExceptions for details"
}
Looks like, that this call requires real credentials for this institution. Am I right? If so, is there any test banks or other financial institution, that use MFA? So we can use them in development mode and not to interact with real ones?
I have found useful generator. So question with test accounts is solved.
Please correct me if I miss something in MFA flow.
Thanks!
The isMFA: false value present in the login form does not make a site MFA.
"mfaType":{"typeId":4,"typeName":"SECURITY_QUESTION"},"mfaCoverage":"FMPA" this value represents if a site is MFA or not.
The exception which you are getting is coming because the login form parameters are not passed correctly in the addSiteAccount API.
You should use getSiteLoginForm API to get the login form for a site and then construct the request of addSiteAccount
Also I would suggest you to go through the API flow to understand the sequence of API to be used correctly.
Related
I am trying to fetch events data through LinkedIn API, but its throwing this error even I passed access token in my header. One more thing I am using postman to create API calls.
I am using this url to call API:-
https://api.linkedin.com/v2/events
{
"serviceErrorCode": 0,
"message": "Resource events does not exist",
"status": 404
}
I am rather new to working with these complex APIs, please help me
I read some more about it and it's written there that one need some special permissions to use event data ."r_events_leadgen_automation" permission is required. But how to get this permission, there is nothing on the docs about this.
You need to create an app and then request access to the Marketing Developer Platform under the Permissions tab. However, getting this access is not easy. You need to fill out and submit a detailed form asking questions about your business and what you intend to do with the access. And you may need to ask for more access after all. I have never gone that far.
You can find more information here.
I'm trying to test the MFA in Yodlee with the dummy account DagBankTokenFMPA. I let the MFA timed out and now everytime, I try to refresh I got the same error :
{"siteRefreshStatus":{"siteRefreshStatusId":10,"siteRefreshStatus":"SITE_CANNOT_BE_REFRESHED"},"siteRefreshMode":{"refreshModeId":1,"refreshMode":"MFA"},"updateInitTime":0,"nextUpdate":2047149073,"code":522,"suggestedFlowReason":{"suggestedFlowReasonId":2,"suggestedFlowReason":"ACCOUNT_IN_ERROR"},"suggestedFlow":{"suggestedFlowId":3,"suggestedFlow":"EDIT"},"itemRefreshInfo":[{"memItemId":10088102,"itemSuggestedFlow":{"suggestedFlowId":3,"suggestedFlow":"EDIT"},"itemSuggestedFlowReason":{"suggestedFlowReasonId":2,"suggestedFlowReason":"ACCOUNT_IN_ERROR"},"errorCode":522,"retryCount":1}],"noOfRetry":1,"isMFAInputRequired":true}
How can I prevent that ? Do I need to stop the refresh with stopRefresh and start over ?
In this case you need to call updateSiteAccountCredentials API and just pass the details again, this will trigger a refresh and then you need to call getMFAResponseForSite to see what MFA information is required by the bank.
To add more, it seems like you are mixing two sets of APIs here. We recommend to either use container based APIs or Site Based set of APIs, in conjunction with Core APIs which are common to both.
I've noticed some institutions have a multi-step MFA, for example the first MFA question will be a "token style" request for a phone number, which after submitting, the user gets a text and needs to respond with a token. How does one detect this situation and submit the final step to Yodlee?
Ok this is what Yodlee calls a "Multi level" MFA. You can use DagMultilevel to test this. When checking for an MFA request, this must be in a loop, such that you keep checking after each MFA response to see if "isMessageAvailable" is true.
Along with "isMessageAvailable" you should be checking the error code too, if error code is not null then there is no more MFA present.
If error code is 0 then the request was successful or else it failed with an error.
You can check for those error codes in this page https://developer.yodlee.com/FAQs/Error_Codes
So I am updating an older desktop app (written in VB, .net 4.0) with facebook integration and followed the guide found here, and have been able to successfully get a token (by parsing the uri of the embedded webview if it contains "token="). Now my problem is if I try to login with a facebook account that has already approved the app in a prior session, the webview just gets redirected to https://www.facebook.com/connect/login_success.html without any token information.
Do I HAVE to log all of the tokens I generate manually (ie on successful token generation, I can call their profile info, use their FB ID as key and save the token)? Even if I do, since the email and password is input directly into the facebook login window, how do I check if the user already has a token?
Thanks in advance
The access token can change any time, you need to get it everytime. After getting the token, I immediately get the user information https://graph.facebook.com/me?access_token=??? and use that ID to find their database information.
I couldn't quickly find facebook information but on google's oauth information it says "The access token is also associated with a limited scope that define the kind of data the your client application has access to (for example "Manage your tasks"). An important goal for OAuth 2.0 is to provide secure and convenient access to the protected data, while minimizing the potential impact if an access token is stolen."
https://code.google.com/p/google-api-php-client/wiki/OAuth2
Ok so I finally figured it out myself. My mistake was apparently requesting the access_token directly (ie https://www.facebook.com/dialog/oauth?response_type=token...) to try and save time.
I fixed it by making a request for a 'code' instead (ie https://www.facebook.com/dialog/oauth?response_type=code), which I then use to make a second request to retrieve an access token as documented here: https://developers.facebook.com/docs/facebook-login/login-flow-for-web-no-jssdk/, "Exchanging code for an access token" section a bit lower on the page.
Hope this helps someone in the future, this was very frustrating on my part.
Regards,
Prince
Has anyone successfully implemented the Google Identity Toolkit, an implementation of an Account Chooser. I followed the initial steps here, but I still have a few questions, as I don't quite know how to handle the entire data flow. I'm using Clojure / Compojure in the back-end:
http://havethunk.wordpress.com/2011/08/10/google-identity-toolkit-asp-net-mvc3/
http://code.google.com/apis/identitytoolkit/v1/acguide.html
A) don't quite understand how ID Provider authentication, fits into my data model
when implementing the callbackURL, what data should I expect, and
how's that session state managed by GITkit (and all Account Choosers)
B) Is there a way to set this up the 'callbackURL' for development.
the identity provider would need a URL that it can redirect back to
C) How can the GITkit / Account Chooser workflow let my users register an account that's native to my app?
Thanks in advance
The questions aren't entirely clear, but I've done an implementation of GITkit in ruby and can give you some pointers.
A) The callback URL is what handles the assertion from the identity providers. Rightnow GITKit only does OpenID, so the URL will contain an OpenID response either in the query parameters or as the POST body. You'll need to do a few things:
1) Call verifyAssertion in the gitkit API and pass the params/post body. This will return a JSON response that contains the user details (assuming assertion is valid). There are some other checks you should do as well
2) Decide what to do with the assertion. If it is an existing user, most likely you'll just establish a session and save the user ID. If it's a new user, you can either create a new account and start a session immediately, or defer that and redirect them to a signup page.
3) Render HTML/JS to notify the widget. There are different status codes and data you can return that changes the flow.
GITKit itself doesn't really manage session state, that's up to your app. Some of the reference implementations have code to help, but it's not part of the API. The widget does have some state that you can control with JS (add account, show as logged in, etc) and uses local storage in the browser.
The docs give some details and example code for how this should be implemented.
B) Of course. The URL is just configured in the javascript widget when you call setConfig() It can be set to localhost or any staging server for development. So long as your browser can reach it you're OK.
C) By "native", I assume you mean where they're signing up with just a username/password instead of using an IDP. If so, the user just has to enter their email address when logging in. If that email address matches a known IDP it'll attempt to authenticate with OpenID, otherwise if it's a new user it'll redirect to whatever signup page you configured in the widget. That signup page would just ask the user to create a password like you normally would. You should also return whether or not accounts are 'legacy' (password) accounts in the userStatus checks.
Hope that helps.
For anyone's future reference. I was able to resolve the issue. You can follow this thread of how's it's done in Clojure.
I got it working with Ring/Compojure, and another fellow showed me his solution in Webnoir.
HTH