Versions Compared

Old Version 18

changes.mady.by.user Vedat Ekiz

Saved on

compared with

New Version Current

changes.mady.by.user Pavel Shkadzko

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Page Properties
hiddentrue

Status

Status
colourYellow
titlefor review

Approver

Pavel Shkadzko

...

  • trusted

    Your application communicates with Gini Pay API via a common backend that runs on a trusted device. Each request states which user the request is made for via the application's user identifierincludes the application’s user identifier to specify the user associated with the request. No account management is required.

  • untrusted

    On the first API usage, your application(or Gini Bank SDK) creates an anonymous Gini user in the background and uses those the account credentials for subsequent requests. This works best for (mobile) applications where the app communicates directly with Gini Pay API on an from some untrusted device.

...

Communicating with Gini Pay API via backend/gateway

...

This authentication scheme is based on HTTP Basic Authentication. Your application needs to use HTTP Basic Authentication to authenticate itself with Gini Pay API. Additionally, another header called X-User-Identifier is sent together with the Authorization header in one request. This header is used by the API to identify individual users. Your application is free to choose whatever value it wants for the header, as long as the following constraints are met:

  • Each user's identifier must be unique.

  • Once set for a user, the identifier must remain the same.

...

This authentication schema is based on Json Web Token’s. Your In order to authenticate itself with Gini Pay API, your application acts as an identity provider and , creates a JWT access token and send sends it in the X-JWT-Authorization http HTTP header with Bearer prefix along with an the actual request to authenticate itself with Gini Pay API. Gini Pay API will then validate this access token to ensure the request is being sent from the a trusted source. To enable the validation by Gini Pay API, you need to expose jwk-set endpoint which is accessible from the Gini system.

...

The payload of the JWT access token should at least include the following claims:

Claim Name

Description

iss

mandatory

The value holds the issuer of the identity provider.

...

<user_identifier_claim_name>

mandatory

The value holds a hash which identifies the user, same as X-User-Identifier in the basic authentication schema. Claim name is configurable at Gini backend.

<client_id_claim_name>

mandatory

The value holds the client id that communicates with Gini backend, same as client-id in the basic authentication schema. Claim name is configurable at Gini backend.

<client_secret_claim_name>

optional

The value holds the client secret that communicates with Gini backend, same as secret in the basic authentication schema. The existence of the claim and the claim name is configurable at Gini backend.

Example of JWT claim content with the configuration:

user_identifier_claim_name=x-user-identifier

client_id_claim_name=x-client-id

client_secret_claim_name=x-client-secret

Code Block
languagejson
{
  ...
  "exp": 2025803444,
  "iss": "http://issuer-url-of-your-identity-provider",
  "typ": "Bearer",
  "x-user-identifier": "user1",
  "x-client-secret": "clientId",
  "x-client-id": "<clientSecret>",
  ...
}

Finally sample Example of the actual get documents request:

...

The jwk-set endpoint is used to retrieve the JSON Web Key (JWK) Set set from the Authorization Server, which contains the cryptographic key(s) used to verify the JSON Web Signature (JWS) of the access token.

Sample Example request to the jwk-set endpoint:

Code Block
curl --location "http://<your-identity-provider-jwk-set-url>"

Sample Example response from jwk-set endpoint:

...

Direct communication between client devices and Gini Pay API

Gini offers the User Center API (UC API) to work with Gini users. Here is a quick step-by-step guide that outlines how to create and use a new anonymous Gini account.

...

You should already have the client ID client-id and the client secret client-secret. They authorize your client (with HTTP Basic Authentication) to obtain the client access token, see the example on the right.

See Authenticate Client.

Code Block
languagejson
//obtain the client token

curl -v -H 'Accept: application/json'
    -u 'client-id:client-secret'
    'https://user.gini.net/oauth/token?grant_type=client_credentials'
the successful response will have HTTP status 200 and the client access token 1eb7ca49-d99f-40cb-b86d-8dd689ca2345 will be returned

{
  "access_token":"1eb7ca49-d99f-40cb-b86d-8dd689ca2345",
  "token_type":"bearer","expires_in":43199,"scope":"read"
}

...

Once the client access token is successfully obtained, it's time to create a new user. For that, we require two more values: a username and a password. The username should be represented by a correct email address whose domain part is easily linkable to your application. For example, if your company is called Example Inc. then app.example.org would be a good domain name to use for your application's user accounts.

See Create New User.

Code Block
languagejson
//create a new user

curl -v -X POST --data '{"email":"random@example.org", "password":"geheim"}'
    -H 'Content-Type: application/json'
    -H 'Accept: application/json'
    -H 'Authorization: BEARER 1eb7ca49-d99f-40cb-b86d-8dd689ca2345'
    'https://user.gini.net/api/users'

...