Handling wealthAPI user passwords
Securely creating users for server-to-server use cases
Users are created via the /v1/signup
endpoint. A user will receive an email (= username) and a password by the creating service. For server-to-server use cases, we strongly recommend to use a random hash as email / username instead of a real email address. This will greatly improve security against email dictionary attacks.
When creating the user, your mandator secret is required.
Listing your users
You may list your users using the GET /v1/users
endpoint in combination with your mandator credentials.
When is a user password assigned
A user password is assigned (by you) when you first signup a user. Note that a server-to-server signup process must provide the clientSecret
in order to skip the otherwise mandatory email verification.
How to authenticate a user
User authentication is done either via username and password or via refresh token. Use the /oauth/access_token endpoint with the respective scope to either login-in or exchange a refresh token for an access token.
Note that both, login and token exchange will require your mandator credentials as a second authentication factor, as specified by the oauth standard - see our API documentation for details.
The login request including client credentials will then look as shown below. Please not the the client_id
should be a hash and not your mandators public ID (like “rentablo”).
{
"grant_type": "password",
"client_id": "aabbccddeeffgghhiijjkkllmmoo",
"client_secret": "bbccddeeffgghhiijjkkllmmoopp",
"username": "the-username",
"password": "the-password"
}
How to change a user’s password
A user may change his password using the current password via the changePassword operation:
https://sandbox.wealthapi.eu/apiDocumentation/swagger#/users/changePassword
This option may only be executed if the user is a) logged-in and b) knows his password.
How to reset a user password
A password can be reset by the users mandator, using mandator credentials. Alternatively, a user with role ROLE_USER_MANAGEMENT
may reset a users password. In any case, resetting passwords is limited to users in the scope of the authenticated mandator.
For security reasons, editing users (including resetting the password) with mandator credentials is only possible by specifying the username / email. Note that in the case of server-to-server-users the email / username will typically be a random hash assigned by the creating service.
Resetting via ROLE_USER_MANAGEMENT
To so so, a user account in your organization must have ROLE_USER_MANAGEMENT
. This account may then update the user with a new password user the update user endpoint. Again, an update can only be done via specifying the users email / username.
Resetting via mandator credentials
In order to reset a users password, via mandator credentials, you must provide the clientId and clientSecret in the request header using the following header parameters:
X-Mandator-Client-Id
X-Mandator-Client-Secret
A request submitted with valid mandator credentials will be able to update the user with a new password user the update user endpoint.
Should I store user passwords?
When storing user credentials, these must always be stored encrypted. Due to the oauth implementation we consider encrypted storage of user credentials as secure.
An alternative to storing user credentials is to just store the refresh token. The refresh token may then be used to acquire a new user token once it expires. Note that the refresh token may also expire based on your mandator settings.
In case you did not store the user credentials and your refresh token expired, you must reset the users password. The process would then be
reset user password using mandator credentials
obtain a new token and refresh token using user credentials
store the new refresh token
Validity of token and refresh_token
The token
is valid for 60 minutes.
The refresh_token
has by default no restriction on token lifetime. A custom token validity period may be configured on mandator level.
Revoking refresh tokens
We use JWT which is a stateless token by design. The easiest way to revoke a JWT is by deleting it.
For added security, we provide a way to revoke all valid refresh tokens for a certain user. To revoke all valid refresh tokens, use the endpoint