SDK Authentication Design

We have the following components:

1. Mobile SDK that is a part of a bank mobile application on iOS and Android platforms

2. Infocus SDK REST API backend

3. Bank REST API backend

Initialization phase:

1. Infocus issues an Application ID and Application Secret that will be used for Bank REST API authentication on Infocus SDK REST API backend.

Authentication phase:

1. The bank mobile application authenticates on the Bank REST API backend with user credentials issued by the bank.

2. The Bank REST API backend authenticates on Infocus SDK REST API backend with Application ID and Application Secret.

3. The Infocus SDK REST API backend issues a Backend Access Token and Refresh Token and sends it back to the Bank REST API backend.

4. The Bank REST API backend sends a Backend Access Token to the Infocus SDK REST API backend and passes user ID (SHA-256 hash of mobile phone number or alternatively, Bank internal user ID with required activation service process) and receives a Client Access Token.

5. The Bank REST API backend transmits the Client Access Token to the user's mobile application.

6. The user's mobile application passed the Client Access Token to the mobile SDK.

7. The mobile SDK uses the Client Access Token to interact with the Infocus SDK REST API backend.

In case of Client Access Token invalidation, mobile SDK must request a new one via mobile application and Bank REST API backend.

The lifetime for a Backend Access Token is 30 min

The lifetime for a Refresh token is 24 hours

The lifetime of the Client Access Token is set up in request from Bank’s backend