Implementation of Instant action

[AlexLobaciov]

Summary:
We have different authentication flows in innovative financial world. To make the customer experience best for our clients with Strong Customer Authentication, it's necessary to introduce the "Instant action".

Where applied?

• Web Banking Authentication. (laptop/mobile)
• TPP app access to account information and payment initiation (AISP/PISP flows via redirect).

General feature overview (described flows):
Case 1: QR code/Deep link flow (scanning QR from laptop or accessing Deep Link from smartphone with Salt Edge Authenticator):

• Step 1: User sees any authentication page with a) credentials field(s) (either to just authenticate or give TPP access to account information or payment initiation via standard redirect flow), and b) a personalized QR code (or Deep Link) to authenticate with instruction to use Salt Edge Authenticator and scan the QR or (tap on Deep Link).
• Step 2: User either opens Salt Edge Authenticator to scan QR code (new button on “Authorizations” page) or accesses Deep link directly (from Mobile browser).
• Step 3 (optional): After QR code scanning or accessing Deep Link, in case user has more than 1 similar connection in Salt Edge Authenticator app, the app will show a pop-up window to select the specific Service Provider (Connection).
• Step 4: The Salt Edge Authenticator app shows “spinner” with title “Authenticating for action”.
• Step 5: If SCA is NOT required for specific action = the app shows final status “Successfully authenticated”. If SCA IS required then from loading screen user gets directly to the “Authorization request” screen.

Case 2: App-to-app authentication with deep link redirect flow from TPP app (switch to Salt Edge Authenticator while redirecting to the service provider authentication page, once initiated from TPP app)

• Step 1: User has to authenticate to allow TPP access to account information or payment initiation. TPP is either instantly using standard redirect flow, or proposes user to choose authentication method with 3 options: 1) use redirect link, 2) Scan QR code and 3) Deep Link to Salt Edge Authenticator (optional, if detected that user is from mobile browser).
• Step 2: User either scans QR code with Salt Edge Authenticator, or taps on “Deep Link”. Salt Edge Authenticator as a result starts processing the instant action right away.
• Step 3 (optional): After Deep Link processing, in case user has more than 1 similar connection in Salt Edge Authenticator app, the app will show a pop-up window to select the specific Service Provider (Connection).
• Step 4: The Salt Edge Authenticator app shows “spinner” with title “Authenticating for action”.
• Step 5: If SCA is NOT required for specific action = the app shows final status “Successfully authenticated”. If SCA IS required then from loading screen user gets directly to the “Authorization request” screen.

Workload (plan):
Realize logic for the "Instant action" by the following specifications:

• The Deep Link (QR code): are consisted of the “is_url” and “action_id”
• Salt Edge Authenticator app: has a new feature on “Authorizations” page - “Scan QR”.
  If SCA is NOT required for specific action = the app shows final status “Successfully authenticated”.
  If SCA IS required then from loading screen user gets directly to the “Authorization request” screen. Issues for Salt Edge authenticator:
  • Issue Android: https://github.com/saltedge/sca-authenticator-android/issues/81
  • Issue iOS: https://github.com/saltedge/sca-authenticator-ios/issues/62
• Identity Service: receives the request to “is_url” with “action_id” and “access_token”, processes the request. As soon as user is identified by the “access_token” Identity Service initiates an action which results in “authorization_request” to cover the SCA flow, if applicable.

Task - Identity Service:

• [x] Realize the API endpoint to accept and process the “is_url” and “action_id”;
• [x] Request to initiate action for identified user;
• [x] Provide either just response to the Salt Edge Authenticator when SCA is NOT required, or provide response and “authorization_id” if SCA IS required;
• [x] Create request-response example of 3 proposed options: send QR code, send Deep Link, send redirect_url;
• [ ] Describe the behavior in API documentation;
• [ ] @alex.lobaciov Describe the process in words on WIKI, and draw a sequence diagram with explanations;
• [ ] @alex.lobaciov Since we introduce the “Instant action”, our “Dynamic connect” feature can change name to “Instant enrollment”, having the word “instant” main for 2 new features.

[AlexLobaciov]

Implementation completed. Thank you! Closing