I have completed the Build Your First Plugin tutorial and that’s all working fine. I have retrieved my account using the Consumer API with the Node.js Express app and from the command line with curl.
The Accounts API seems rather straightforward. Now I’m trying to determine how I go about retrieving the debit cards associated with my account?
I’m looking at the OpenAPI / Swagger stuff, but I’m not sure how to get Cards API to work exactly.
Accounts - From the Accounts API doc, I copied this userId, 01234567-abcd-4321-fedc-9876543210fa, to use in the Cards API.
Cards
The Cards API is used to perform actions related to credit/debit
cards.
As you can see in this screenshot, I pasted the userId that I copied from the Accounts API doc.
Cards API screenshot - The response was a 401:
“Failed to determine Banno auth type”
I suspect this has something to do with selecting the proper OpenID scopes?
I clicked the lock icon next to the Basic Cards API Get button. I selected the two OpenID scopes that it showed as being required?
CardControls-ReadOnly
CardControls-ReadWrite
When I click the Authorize button it redirects to the digital.garden-fi.com site, but I don’t recall seeing a user name and password that I can use to test.
I obviously didn’t want to put my personal information into this site just to create an account to test with.
Garden test site
There are a few different things to unpack in your question, so I'll do my best to separate things out.
1) To use the Consumer API's Cards endpoints, you'll definitely need to use the correct OAuth scopes when beginning the authentication flow.
For example, for the GET /users/{userId}/cards endpoint, you'll need to use either the https://api.banno.com/consumer/auth/cardcontrols.readonly or https://api.banno.com/consumer/auth/cardcontrols.readwrite scope. You only need one of them, not both.
This is what you would need to use as a curl command in the Terminal, for example:
curl -X 'GET' \
'https://[CONSUMER_API_ENVIRONMENT]/a/consumer/api/v0/users/{userId}/cards' \
-H 'accept: application/json' \
-H 'Authorization: Bearer [YOUR_ACCESS_TOKEN]'
...where:
CONSUMER_API_ENVIRONMENT is specific to your financial institution and matches with Banno Online for your institution
userId is the ID for the User.
YOUR_ACCESS_TOKEN is your Access Token from the authentication flow (in JWT format)
Notably, you will need to user the userId for your user. Your question mentioned using 01234567-abcd-4321-fedc-9876543210fa, but from what I see that's not the ID of an actual user but is instead an example of how such an ID would be formatted. Apologies for the confusion.
2) The 'Interactive' API Reference
The 'interactive' API Reference that you're using is meant to be used with a demo financial institution that we have named Garden (https://www.garden-fi.com).
From what I can tell in your description, it sounds like you don't have a user nor API credentials for the Garden demo institution. Which is okay, because it's actually preferable for you to use a user and API credentials within your own financial institution.
Based on the fact that you've already gone through the Build Your First Plugin quickstart, it sounds like you've already got your own user and API credentials set up in your financial institution's Banno environment (which is actually ideal for what you're trying to do).
Again, apologies for the confusion.
Related
I was asked by a potential client if I can have my software interact with Esri/ArcGIS Online.
Use case: users is logged into SomeRandomSoftwareApp and is looking at a Widget, this Widget includes an Esri asset id, the user clicks a link that passes that ID to Esri/ArcGIS Online and behind the scenes the user is logged into Esri and they see the data associated with the Esri/ArcGIS Online.
Thanks, Keith
If I understand correctly, you have two options for this: API Keys or Application Credentials.
The first one, is a permanent token generated by the owner of the data that will allow the application easy access to it. This is still in beta, and it was not ready for use the last time I check some time ago.
The second one, the owner of the data will generate credentials for your application. With this credentials you will have to request a token each time you want to access the data, all this via OAuth 2.0.
Check the docs for more details ArcGIS Services - Security
I'm working on a project that consumes Service Now API (Rest). To do so our client has registered us as a user in order to login and make all service calls we need to. This project has an interface where users can login once they have an account on Service Now as well, the username they type to log in has nothing to do with service now by the way, but later they associate theirs service now users to it. They can do some operations through this interface, where all of them are done using the integration user/pass not their service now users theirselves, even because they do not need to share their passwords with us. But it's needed to track the correct user to register on service now and I'm in trouble specifically about commenting on an incident. The endpoint to comment is the following :
http://hostname/api/now/table/incident/{sys_id}
where request body is a json object just as simple as :
{
"comments": "My comment is foo bar"
}
but when this comment is registered on Service Now it is under integration user instead the user which commented. Is there any way I could keep a specific user, considering I already have the user id on Service Now ready to inform it on the request the way it should be.
I tried reading Service Now documentation but had no clue how to solve it, altought I've found something about impersonate
This is happening because you're being proxied through the "Integration User" instead of your own account. As long as this is the case, your comments are going to be attributed to the Integration User.
I can think of two ways to fix this issue.
Ask the client to log you into their system directly as a user.
Implement a special API (Scripted REST API, available in Geneva or later) that allows you to identify the Incident and enter the comment, and then the script forges the comment on your behalf, attributing authorship correctly.
The first solution can be expensive due to possible additional licensing costs.
The second solution will require a willing client to devote 2-3 hours of development time, depending on the programmer.
Firstly, you need an integration user with suffient rights. Our integration user has suffient rights out of the box, but your story could be different. A quick check is to try impersonate as other user using menu.
Login as integration user to ServiceNow instance.
Go to https://{instance}.service-now.com/nav_to.do
Click on username at top right corner. This is a drop down.
There should be at least three menu items: "Profile", "Impersonate User", and "Logout". If you do not have "Impersonate User" in this menu, your integration user miss some permissions. Contact system administrator if you miss this menu item to configure appropriate permissions.
Then you need to find sys_id of user that you want to impersonate. For example:
https://{instance}.service-now.com/api/now/table/sys_user?sysparm_query=user_name={username}&sysparm_fields=sys_id
If you have suffient privileges, you could invoke the folling endpoint with sys id of user that you want to impersonate:
HTTP POST to https://{instance}.service-now.com/api/now/ui/impersonate/{user_sys_id} with body "{}" and content type "application/json". You need to provide HTTP basic authentication to this query as your integration user.
The response code on success is 200. The response body could be ignored. The interesting result of this response is a set of cookies for impersonated user in response headers. These cookies could be used for subsequent REST API calls until they expire. Use some HTTP rest client dependent method to capture them and to provide them to next calls.
For Apache HTTP Client (Java), I'm creating http client context using:
HttpClientContext context = HttpClientContext.create();
context.setCookieStore(new BasicCookieStore());
Pass thing context to impersonation request and to subsequent API calls until I get 401 reply, after that I'm reaquiring cookies. Setting new cookie store is important, as otherwise some default cookies store is used.
Two things to note:
This API looks like internal one, so it could change at any time. If it happens, look for what "Impresonate User" menu item does, and repeat it youselves.
ServiceNow permissions are quite fine-grained, so the target user could lack permissions to perform operation. In some cases, if there is no permission to update the field the operation PATCH on object returns reponse 200, but field is not updated. This introduces a surprising mode of failure when you use impersonation.
I'm following the Quick Start Guide, as I've just received my credentials. I went through the coblogin and user (consumer) creation successfully. For test purposes, I was able to search and list sites and infos.
When I try to invoke addSiteAccount1 using the user session token for the consumer that I create, I get an HTTP 200 response and no apparent error, no exceptions or messages. The JSON response is basically the same as the one listed in the API documentation page, however there's no ID I can use to list transactions. I'm using a real login/password account information on Chase (site ID 643).
By the way, if I use random strings for credentialFields[0].value (username) and credentialFields[1].value (password), I get the same JSON response.
Please help me clarify what is not working here.
addSiteAccount1 API will give you a response which should contain "siteAccountId" field this is the identifier for that particular user's Chase bank site.
This siteAccountId will have itemIDs which resembles different 'container'(in Yodlee terminology) like, all saving and checking accounts comes under bank container,while credit card comes under credit's container similarly loan and mortgages are other containers.
Now even under a specific container you might have multiple accounts for e.g., Chase Bank container you might have 1 saving's account and 1 checking account, for each there will be an itemAccountId available. This uniquely identifies that specific account and you can pass this itemAccountId (which you can get from getItemSummariesForSite API) in executeUserSearchRequest API to get the transactions belongs to this specific account.
For further help here is the link for the API flow which will give you an idea about how and when to use different APIs.
OK, I think I got it working, but maybe some documentation clarification is needed. Provided that all mandatory parameters in the addSiteAccount1 are present and contain no errors, the method call will be successful for a given consumer.
I then visited the getAllSiteAccounts method, which would show me all account aggregation for that user/consumer. I was able to see all accounts added, some had a message like "REFRESH_COMPLETE" and others would have "AUTH_FAILED". It seems that once one adds an account, the Yodlee robots will try to login and then synchronize the data for a given account. Makes sense?
I was only able to verify if the bank credentials were OK by calling another method.
We are deciding on standards for APIs at my work.
I've seen some APIs use API keys. I've seen others use full authentication with username and password (eg oAuth2).
Is there generally a good time to use one over the other?
OAuth is great for the scenario of "3-party authentication" (1st party: your API server, 2nd party: an app using your API, 3rd party: user on whose behalf the API is used). For example, imagine the Instagram application (2nd party) uploading a photo to the Facebook API (1st party) on behalf of user John Doe (3rd party) to appear on his Facebook wall.
However, many APIs don't have this 3-party scenario - there's just an API and an app, not tied to any end-user-specific information. For example, if a brokerage is providing a stock quote API, it's a two-party scenario because stock quotes are not specific to an end user. (However, if there's an API to access someone's stock portfolio, it's a 3-party scenario).
For 3-party scenarios, OAuth has pretty much become standard at this point. For 2-party scenarios, even though it's possible to use OAuth, in practice simpler authentication schemes are often used (e.g. just an API key in the URL, and use HTTPS to hide the URL from intermediaries).
Looking at: http://developers.box.com/get-started/#authenticating on step #2 I'm trying to use curl to enter the credentials (user/email/password) to get the auth_token. I'd rather do it this way instead of directing the user to their browser because I'm making a script for syncing.
Anyone have an idea how I can do this? can I just do a POST with curl? I'm using v2 of the API.
You must send the user through the web page, unfortunately. However, since you are writing a script, you should also be aware that auth_tokens under the current system, so you can manually retrieve one and include it in your script.
Just one thing to note. If you don't use the standard authentication flow that goes through the Box web ui, then Box's large customers that have all their users sign-on with SSO (Active Directory and similar) logins, won't be your customers.
So, basically, if you want your app to be picked up by enterprise-level customers, then follow the building guidelines that Box provides.