Tavant FinConnect
Tavant FinConnect
Application security is a procedural method to protect applications from external threats. Countermeasures are the actions that are taken to ensure application security. An application fire-wall is the most basic software countermeasure that limits the execution of files or the handling of data by specific installed programs. Elastic Load Balancer (ELB) is the most common hardware countermeasure that prevents the IP address of an individual computer from being directly visible on the Internet. Other countermeasures include authentication systems.
FinConnect Authentication Services is built on OAuth (Open Authorization) Role based access. OAuth is an open standard for token-based authentication and authorization on the Internet for access delegation, commonly used as a way for Internet users to grant access to the information on their websites or applications from other websites but without giving them the passwords.
FinConnect supports the following grant types:
The client_credential grant is used by the client to get an access token without the context of the user involved. This is required if the application must perform any book keeping activity (like changing the registered URL) or gather statistics. Use a client such as postman chrome extension to make the POST request for client_credentials grant.
http://<base application Path >/userauth/oauth/token?grant_type=client_credentials
Note: grant_type=client_credentials and base application path = <protocol>:<dnsname>/fchub/rest
The Access Token has a short shelf life span and expires if not refreshed. The Auth Token response includes a parameter for its duration (in seconds) that indicates validity of the token. All FinConnect requests should include the access token in the header. The Access Token must be refreshed before it expires. If the user accesses a protected resource with an expired token, the system responds with the token expiry message. Once expired a new token must be requested.
Consider the user receives the access token for password grant, in this scenario the user can use the POST request from chrome postman extension as follows.
The grant_type=refresh_token and the user need to provide the refresh_token value which is received in the response for the password grant.
Use the basic authentication in postman and provide the client and client_secret for the basic authentication
User Name: Username (Client ID)
Password: Password (Client Secret)
FinConnect API’s are not publicly available on the internet. Systems intending to access FinConnect APIs must have its public IP address whitelisted. This ensures that API’s are accessed from trusted sources only.
HTTPS is the secure version of HTTP, the protocol over which data is sent between the browser and the website that the user is connected to. The 'S' at the end of HTTPS stands for 'Secure'. It means all communications between the browser and the website are encrypted. HTTPS is often used to protect highly confidential online transactions.
The Communication to FinConnect API’s are all on the HTTPS.
FinConnect API’s are run against several VA tools like Sonar, Checkmarx, and Fortify. This process involves Static Application Security Testing and Dynamic Application Security Testing products.
|
|
|
|
|
|
|
