Authentication

To access the Leabank API, you'll receive a clientId and clientSecret for each environment (test and production), enabling secure connections through either OpenID Connect or JWT standards.

All API requests are authenticated using OpenID Connect or JWT:

OpenID Connect - Adds an identity layer on OAuth 2.0, verifying the end-user's identity and allowing the client to access profile information in a REST-compatible format.
JWT - Attach the token as a Bearer Token in each request header. The JWT signature is verified by the authorization server, either through a validation endpoint (RFC 7517) or a locally provided key.

Security Note: Always secure your credentials. If you suspect they are compromised, reset them immediately.

OAuth2 Client Credentials

This guide provides documentation on how to authenticate to the API using the OAuth2 Client Credentials flow, and how to query the API with the received token. We will provide minimal code examples for both Node.js and C#.

Authentication Endpoints

Token Endpoint:
- This endpoint is used to obtain an access token.
  - Base URL: https://oidc-kc.<ENVIRONMENT>.quattro.stacc.dev/realms/agents-<ENVIRONMENT>/protocol/openid-connect/token where <ENVIRONMENT> can be:
  - test for Test environment
  - prod for Production environment
- Method: POST
- Required Headers:
  - Content-Type: application/x-www-form-urlencoded
- Body Parameters:
  - client_id: Your client ID
  - client_secret: Your client secret
  - grant_type: Must be set to client_credentials
  - scope: A space-separated list of scopes

Scopes

Scopes must be used when requesting a JWT. The following scopes below can be used:

Loan application Scopes

Spain:
- loan-application:create:es: Create a loan application in Spain
- loan-application:update:es: Update a loan application in Spain
- loan-application:delete:es: Delete a loan application in Spain
- loan-application:accept:es: Accept a loan application in Spain
Sweden:
- loan-application:create:se: Create a loan application in Sweden
- loan-application:update:se: Update a loan application in Sweden
- loan-application:delete:se: Delete a loan application in Sweden
- loan-application:accept:se: Accept a loan application in Sweden

Test Example Request (Token Endpoint)

# For test environment
POST https://oidc-kc.test.quattro.stacc.dev/realms/agents-test/protocol/openid-connect/token
Host: oidc-kc.test.quattro.stacc.dev
Content-Type: application/x-www-form-urlencoded

client_id=your_client_id&client_secret=your_client_secret&grant_type=client_credentials&scope=loan-application:create:es

Production Example Request (Token Endpoint)

# For production environment
POST https://oidc-kc.prod.quattro.stacc.dev/realms/agents-prod/protocol/openid-connect/token
Host: oidc-kc.prod.quattro.stacc.dev
Content-Type: application/x-www-form-urlencoded

client_id=your_client_id&client_secret=your_client_secret&grant_type=client_credentials&scope=loan-application:create:es

Example Response

{
  "access_token": "YOUR_ACCESS_TOKEN",
  "token_type": "Bearer",
  "expires_in": 3600
}

Querying the API

Once you have obtained the access token, you can use it to authenticate API requests by including it in the Authorization header.

API Endpoint: /api/resource
- Method: GET
- Required Headers:
  - Authorization: Bearer YOUR_ACCESS_TOKEN

Code Examples

- Node.js Example

In this example, we will use the axios library to make the HTTP requests.

const axios = require('axios');
const qs = require('qs');

// OAuth2 Client Credentials flow to get access token
async function getAccessToken() {
  const tokenUrl = 'https://oidc-kc.test.quattro.stacc.dev/realms/agents-test/protocol/openid-connect/token';
  const data = qs.stringify({
    client_id: 'your_client_id',
    client_secret: 'your_client_secret',
    grant_type: 'client_credentials',
    scope: 'loan-application:create:es'
  });

  const config = {
    headers: {
      'Content-Type': 'application/x-www-form-urlencoded'
    }
  };

  const response = await axios.post(tokenUrl, data, config);
  return response.data.access_token;
}

// Query the API using the received token
async function queryApi() {
  const token = await getAccessToken();
  const apiUrl = 'https://api-public.test.quattro.stacc.dev/api/resource';

  const config = {
    headers: {
      Authorization: `Bearer ${token}`
    }
  };

  const response = await axios.get(apiUrl, config);
  console.log(response.data);
}

queryApi();

- C# Example

In this example, we will use HttpClient to make the HTTP requests.

using System;
using System.Net.Http;
using System.Threading.Tasks;

class Program
{
    private static async Task<string> GetAccessToken()
    {
        var tokenUrl = "https://oidc-kc.test.quattro.stacc.dev/realms/agents-test/protocol/openid-connect/token";
        var client = new HttpClient();
        var requestBody = new FormUrlEncodedContent(new[]
        {
            new KeyValuePair<string, string>("client_id", "your_client_id"),
            new KeyValuePair<string, string>("client_secret", "your_client_secret"),
            new KeyValuePair<string, string>("grant_type", "client_credentials"),
            new KeyValuePair<string, string>("scopes", "loan-application:create:es")
        });

        var response = await client.PostAsync(tokenUrl, requestBody);
        var tokenResponse = await response.Content.ReadAsAsync<dynamic>();
        return tokenResponse.access_token;
    }

    private static async Task QueryApi()
    {
        var token = await GetAccessToken();
        var apiUrl = "https://api-public.test.quattro.stacc.dev/api/resource";

        var client = new HttpClient();
        client.DefaultRequestHeaders.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue("Bearer", token);

        var response = await client.GetAsync(apiUrl);
        var responseBody = await response.Content.ReadAsStringAsync();
        Console.WriteLine(responseBody);
    }

    static async Task Main(string[] args)
    {
        await QueryApi();
    }
}