PowerAuth Web Flow Documentation

PowerAuth Web Flow provides federated authentication and authorization services for securing web applications. Web Flow is built using PowerAuth security protocol and performs role of an OAuth 2.0 provider.

The typical use-case for the software stack is securing the RESTful API interfaces, or authentication / authorization for internet banking via central authentication / authorization component.

Web Flow handles the authentication and authorization from user point of view. The user interacts with Web Flow using web browser and using mobile device (optional). The authentication flow starts when user performs a request to a protected URL and the user session has not been authenticated yet. This event triggers an OAuth 2.0 authentication process where Web Flow serves as an OAuth 2.0 provider. Based on configuration of current operation, user gets authenticated using various authentication steps. User session becomes authenticated once all required steps have been successfully completed for given operation.

Web Flow can handle various types of authentication and authorization steps during the OAuth 2.0 dance:

• Form based authentication (login using username and password)
• User ID assignment (user identification is resolved using backend systems)
• SMS OTP authorization (user receives a SMS with one time code which is used for authorization)
• Mobile token authorization (user confirms operation on mobile device, PowerAuth signature is used for authorization)
• SCA login (user specifies username in the first screen, the second screen uses password and SMS code verification)
• SCA approval (SCA login followed by approval using password and SMS code verification)

Web Flow can also display OAuth 2.0 consent page with options required to be selected for completing the operation.

Additional authentication and authorization steps can be implemented by extending Web Flow. Each operation can be configured to require a different authentication/authorization flow based on security requirements of the operation.

Web Flow can be integrated with anti-fraud systems, provide information for fraud detection as well as perform an authentication step-down based on response from anti-fraud system.

Overview

• Introduction
• Basic Definitions
• Components
• Web Flow Architecture
• OAuth 2.0 Integration
• User’s Guide

Applications

• Web Flow Server
• Next Step Server
• Data Adapter
• PowerAuth Server
• PowerAuth Admin
• PowerAuth Push Server

REST APIs

• NextStep Server REST API Reference
• Data Adapter REST API Reference
• Web Flow REST API Reference
• Mobile Push Registration API
• Mobile Token REST API Reference

Deployment

• Web Flow Installation Manual
• Deploying Web Flow on JBoss / Wildfly
• Database Table Structure
• Migration Instructions
• Docker Deployment

Customizing Web Flow

• Customizing Web Flow Appearance
• Implementing Data Adapter Interface
• Web Flow Configuration
• Configuring Next Step Definitions
• Customizing Operation Form Data
• Mobile Token Configuration

Technical Notes

• Operation Data Structure
• Off-line Signatures QR Code
• Web Socket Communication Protocol
• Used Push Message Extras

Development

• Compilation, Packaging and Deployment

Releases

• Releases