Authentication
Point of Banking Authentication
This section explains what kind of authentication mechanism between Green Dot and POB partners is supported.
Green Dot supports below three kinds of authentication mechanisms:
- Certificate-Based
- OAuth 2.0
- Basic Authentication Based User Name and Password
Certificate-Based Authentication
Certificate-based authentication is the use of a Digital Certificate to identify a user, machine, or device before granting access to a resource, network, application, etc.
POB partnersneed to sign GreenDot's CSR (Certificate Signing Request), and setup the certificate on yourserver for decryption, this will be followed up by Green Dot’s System Engineer team.
OAuth 2.0 for Authentication
This API allows partner to accept OAuth request from Green Dot, and needs be exposed by POB partners. OAuth 2.0 protocol is the industry-standard protocol for authorization.
To begin, Green Dot:
- Obtains OAuth 2.0 client credentials from POB partners' by secure Email (Non-Prod and Prod).
- Then, Green Dot client application requests an access token from the POB partner Authorization Server, extracts a token from the response, and sends the token to the POB partner's API.
Note: If you choose OAuth 2.0 authentication, Green Dot will need your OAuth credentials. For non-production environments, the Green Dot technical team also needs these credentials for testing.
Please contact your Green Dot Product Owner for assistance.
Endpoint:
POST ~/oauth2/token
SLA Response and Resolution Time
1s
Request Parameters
Parameter Name | Type | Format | Required | Description |
---|---|---|---|---|
Content-Type | string | Header | Required | "application/x-www-form-urlencoded" |
client_id | string | Body | Required | The id of the application that asks for authorization. It will be providedbyPOBpartner |
client_secret | string | Body | Required | A secret known only to your application and the authorization server.It will be providedbyPOBpartner |
grant_type | string | Body | Required | The grant type for this flow, always pass "client_credentials". |
scope | string | Body | Required | A space-delimited list of permissions that the application requires. Value is "general". |
Response Parameters
If this POST request gets authorization success, the following response fields will be returned along with a 200 HTTP Response Code
Parameter Name | Type | Required | Description |
---|---|---|---|
access_token | string | Required | Encapsulating the security identity of a process or thread. A token is used to make security decisions and to store tamper-proof information for system entity. |
token_type | string | Required | Methods to get access tokens from the authorization server are called grants. Here we expect "Bearer" as token type. |
expires_in | int | Required | The lifetime in seconds of the access token |
scope | string | Required | A space-delimited list of permissions that the token containing, default we expect full access permissions for all POB partner APIs. |
If this POST request gets authorization fails, the following response fields will be returned along with related HTTP response codes and error codes
Parameter Name | Type | Required | Description |
---|---|---|---|
error | string | Required | The error code |
error_description | string | Required | The error message |
Sample Request
curl --location --request POST 'https://{base_url}/v1/oauth2/token' \--header 'Content-Type: application/x-www-form-urlencoded' \--data-urlencode 'client_id=<CLIENT_ID>' \--data-urlencode 'client_secret=<CLIENT_SECRET>' \--data-urlencode 'grant_type=client_credentials' \--data-urlencode 'scope=general'
Sample Response
Success
{"access_token": "xxxxxx","token_type": "Bearer","expires_in": 86400,"scope": "general"}
Unsupported grant type
{"error": "UNSUPPORTED_GRANT_TYPE","error_description": "An invalid string for grant_type field has beenused." }
Invalid grant type
{"error": "INVALID_GRANT_TYPE","error_description": "An invalid code when exchanging an authorization code for an access_token."}
Invalid client
{"error": "INVALID_CLIENT","error_description": "Either your client_id or client_secret is invalid."}
Basic Authentication Based User Name and Password
Basic authentication is where a client sends a request with the client credentials in the Authorization header. The credentials are formatted as the string "name:password", base64- encoded. The credentials are not encrypted.
For additional information refer to: https://docs.microsoft.com/en-us/aspnet/web-api/overview/security/basic-authentication
For example, to authorize when name is "demo", password is "p@55w0rd", credentials are formatted as the string " demo: p@55w0rd ", base64-encoded as ” ZGVtbzpwQDU1dzByA==”, the client would send the following: Authorization: Basic ZGVtbzpwQDU1dzByA==
Note: POB partners need to provide name and password.
Updated 2 months ago