OAuth 2
OAuth 2 is the industry-standard protocol for authorization. It allows apps to access consumer data on another system in a secure, controlled manner without exchanging passwords. An analogy is giving out a passcode that only allows access to your garage instead of a master key to your entire house. You’re only granting access to specific resources, and that access can be easily revoked at any time.
Definitions
Client. This is the app requesting access to financial data (your app in this case)
Resource server. The server storing the financial data your app wants to obtain. In this case, the resource server is at Mikomo.
Authorization server. The server that handles permission granting. In this case, Mikomo’s server.
How does it work?
There are several different types of OAuth flows. We use a three-legged OAuth process. We’ll illustrate this using the example of our fictitious consumer granting permission for her financial institution to share data with your app via the Developer Interface:
Authorization request. The consumer initiates the process. The client (your app) sends the consumer via Akoya to Mikomo’s authorization server, where she’s asked to grant specific permissions for her bank account data.
Authorization code issued. Mikomo’s authorization server sends an authorization code by redirecting the consumer’s browser to your page (redirect URI) with the auth code as a query param.
Auth code exchanged for ID token. Your app exchanges the authorization code for an ID token. This token acts as that temporary passcode to your garage, except in this case, the garage is the account data that the consumer has granted permission to share.
What is a redirect URI?
A redirect URI is one or more endpoints in your application where the consumer is sent after the resource server has granted (or not granted) access to data.
Per OAuth requirements your redirect should:
Be encrypted and secure (HTTPS).
Be registered in the Data Recipient Hub.
Why are registered redirect URIs important?
Redirect URIs prevent:
Redirection to malicious endpoints.
Cross-site scripting (XSS) attacks.
Resources
Change log
Date | Update |
2025-Jan-02 | Initial version |