Authentication and Authorization service is a set of APIs that is used for authenticating the identity of a user or client/application or server and ensures that this entity has the proper privileges for the request.

Authentication

To begin, the server and/or an application have to authentication with TMB Open Banking Platform through the TMB API Gateway. TMB supports OAuth 2.0 Authentication of server and/or application.

Confidential application or service, which issued client credentials MUST authenticate with TMB API Gateway. TMB API Gateway should support 2 types of Client Authentication

• The client application or service requests an application access token from the TMB API Gateway, then extracting a token from the response, and sending the token to TMB Open Banking API that you would like to access.
• The HTTP Basic authentication scheme for authenticating clients that were issued a client password. For example: Authorization: Basic czZCaGRSa3F0Mzo3RmpmcDBaQnIxS3REUmJuZlZkbUl3f

Authorization

The server or application can be authorization with TMB API Gateway in three ways.

1. Server Authorization: TMB authorizes your server to access to TMB Open Banking Platform.
2. App/Service Authorization: TMB authorizes your application or service to access the TMB Open Banking Platform through TMB Open Banking API.
3. User Authorization: Resource owner, TMB customer, grant your app permission to access and/or modify the user’s own data. Calls to the TMB Open Banking API require authorization by your application user. To get that authorization, your application generates a call to the TMB Authorization server, passing along a list of the scopes for which access permission is sought.

OAuth2.0 Authorization

TMB API Gateway support the OAuth 2.0 protocol for an authorization process. TMB Open Banking APIs follows the OAuth 2.0 Client Credential Grant, Authorization Code Grant, Resource Owner Password Credentials Grant as specified in RFC 6749.

Client Credentials Grant

The “Client Credentials” grant is used when an application is access its own resources. This grant type is simply exchanging the client_id and client_secret for an access token.

The Client Credentials flow is used in server-to-server authentication. Only endpoints that do not access user information can be accessed. The advantage here in comparison with requests to the Web API made without an access token, is that a higher rate limit is applied.

Resource Owner Password Credentials Grant

A “Password” grant type, allowing applications to collect the user’s username and password and exchange them for an access token. It is intended to only be used by trusted clients, such as a TMB’s own application. It should not be used by third-party apps as that would allow the third-party app to have access to the username and password of the user.

Authorization Code Grant

Authorization code is one of the most commonly used OAuth 2.0 grant types. The authorization code flow is a "three-legged OAuth" configuration. In this configuration, the user authenticates himself with the TMB Authentication & Authorization service and gives the app consent to access their protected resources without divulging username/passwords to the client app.
This grant type is intended for apps that are written by third-party developers who do not have a trusted business relationship with the API provider. For example, developers who register for public API programs should not generally be trusted. With this grant type, the user's credentials on the resource server are never shared with the app.