OPEN BANKING TALES FROM THE FRONTIER Anca Zaharia Jason Maude - - PowerPoint PPT Presentation

open banking
SMART_READER_LITE
LIVE PREVIEW

OPEN BANKING TALES FROM THE FRONTIER Anca Zaharia Jason Maude - - PowerPoint PPT Presentation

Apr 12, 2023 278 likes •715 views

OPEN BANKING TALES FROM THE FRONTIER Anca Zaharia Jason Maude @ancaleuca @jasonmaude What is open banking? The legislation and associated technology that allow customers of financial institutions greater control of data that those

slide-1
SLIDE 1

OPEN BANKING

TALES FROM THE FRONTIER

Jason Maude @jasonmaude Anca Zaharia @ancaleuca

slide-2
SLIDE 2

What is open banking?

The legislation and associated technology that allow customers of financial institutions greater control of data that those institutions hold about them.

slide-3
SLIDE 3

Who are Starling Bank?

  • Tech start-up with a banking licence
  • ~100% cloud-based, mobile-only
  • All the features that you’d expect from

a current account and more

  • Public APIs & developer platform
slide-4
SLIDE 4

Public APIs

  • Most actions that can be performed through

the mobile apps are available

  • Allows individuals to connect up their bank

account to their own code

slide-5
SLIDE 5

The Starling Bank marketplace

  • Allows customers to securely connect to

selected partners via their Starling Bank account

  • Providers of mortgages, pensions, savings and

investments etc

slide-6
SLIDE 6

LESSON 1: UNDERSTAND OAUTH 2

slide-7
SLIDE 7

OAuth 2 overview

Client Auth server User Resource server

slide-8
SLIDE 8

Client authentication

Partner app Auth web app

1. Redirect https://oauth.starlingbank.com

  • cl

client_id=$client_id

  • re

response_type=code

  • st

state=$state

  • re

redire rect_uri ri=$redirect_uri

slide-9
SLIDE 9

Client authentication

Partner app Auth web app

1. Redirect

Starling app

  • 2. Send QR code
slide-10
SLIDE 10

Client authorisation

Partner app Auth web app

1. Redirect

Starling app

  • 2. Send QR code
  • 3. Login, review

permissions

slide-11
SLIDE 11

Client authorisation

Partner app Auth web app

1. Redirect

Starling app

  • 2. Send QR code

Starling API

  • 4. Authorise
  • 3. Login, review

permissions

  • 5. Generate auth code
slide-12
SLIDE 12

Client authorisation

Partner app Auth web app

1. Redirect

Starling app

  • 2. Send QR code

Starling API

  • 3. Login, review

permissions

  • 4. Authorise
  • 6. Poll for

auth code

  • 5. Generate auth code
slide-13
SLIDE 13

Client authorisation

Partner app Auth web app

1. Redirect

Starling app

  • 2. Send QR code

Starling API

  • 3. Login, review

permissions

  • 4. Authorise
  • 6. Poll for

auth code

  • 7. Redirect

/redirect_uri

  • st

state=$state

  • co

code=$auth_code

  • 5. Generate auth code
slide-14
SLIDE 14

Exchange auth code for access token

Partner API Starling API

Request

  • co

code=$auth_code

  • cl

client_id=$client_id

  • cl

client_secr cret=$client_secret

  • grant_type=authorization_code
  • redirect_uri=$redirect_uri

Response

  • ac

access_token

  • re

refre resh_token

  • token_type=Bearer
  • ex

expires_ es_in

  • sc

scope POST https://api.starlingbank.com/oauth/access-token

slide-15
SLIDE 15

Use access token

Partner API Starling API

  • H "Authorization: Bearer $ac

access_token" https://api.starlingbank.com/api/v1/accounts/balance

slide-16
SLIDE 16

Example screens for Wealthify using 2-way OAuth flow

slide-17
SLIDE 17

Additional security

  • Highly sensitive requests (e.g., payment

instructions) must be sig igned

slide-18
SLIDE 18

Token storage

  • Don’t forget to delete expired

tokens

slide-19
SLIDE 19

LESSON 2: YOU CAN’T ALWAYS CONNECT

slide-20
SLIDE 20

Things will go wrong

slide-21
SLIDE 21

Losing requests and responses

Starling API Partner API

Request Request Response

slide-22
SLIDE 22

DITTO architecture

The system must ensure that every instruction from a user is actioned at least once and at most once

slide-23
SLIDE 23

Losing requests - at least once

Starling API Partner API

Request

slide-24
SLIDE 24

Losing responses - at most once

Starling API Partner API

Request Response

slide-25
SLIDE 25

LESSON 3: MAKE TESTING EASY

slide-26
SLIDE 26
slide-27
SLIDE 27

Personal access

Developer Portal account Starling Bank account

slide-28
SLIDE 28

Personal access

$ curl -H “Authorization: Bearer <personal access token>” https://api.starlingbank.com/api/v1/tr ansactions

slide-29
SLIDE 29

What if I want more?

slide-30
SLIDE 30

Play in the sandbox

slide-31
SLIDE 31

LESSON 4: WORK ON YOUR PERMISSIONS MODEL

slide-32
SLIDE 32

Permission model v1

Tier 1 Read financial Tier 2 Read personal Tier 3 Write financial Tier 4 Create payees Tier 5 Make payments

slide-33
SLIDE 33

Permission model v2

Create Payees Edit Metadata Create Local Payment Read Address Read Transactions Delete DD Mandates Read Balance Create Savings Goal

slide-34
SLIDE 34

Displaying permissions

slide-35
SLIDE 35

LESSON 5: MONITOR YOUR API

slide-36
SLIDE 36

Elasticsearch Logstash Kibana Alertmanager Elastalert Pagerduty Prometheus Grafana Instana

Monitoring and observability stack

slide-37
SLIDE 37
slide-38
SLIDE 38
slide-39
SLIDE 39

THE FUTURE

slide-40
SLIDE 40

Open integration platform

Starling API Partner API Open integration platform

slide-41
SLIDE 41

Share your identity confirmation

Starling API Partner API

KYC

slide-42
SLIDE 42

Key takeaways

  • Lesson 1: Understand OAuth
  • Lesson 2: You can’t always connect
  • Lesson 3: Make testing easy
  • Lesson 4: Work on your permissions model
  • Lesson 5: Monitor your API
slide-43
SLIDE 43

Thank you!

Check out the Starling Developer Podcast!

https://developer.starlingbank.com

@ancaleuca @jasonmaude