Consumer API - Using Authentication Framework via a "background" service

Question

I'm working on an API project that will use Banno's Consumer API to gather Account/Transaction data as part of a "background" service to sync with a Partner's system. By background service I mean that the User is not present. The Partner will send over identifiers for the given User and this API being developed would retrieve this data and send it back to the Partner for them to perform the sync with their data.

In conjunction with this background API, I have implemented a Plugin so I know that with Banno's Authentication Framework a User has to have a valid session to receive a token via its 0auth process to consume the Consumer API. My question is, is there some mechanism or alternative approach with the Consumer API that would allow for a User to be authenticated (without signing into their Banno account via username/password) that would allow a background service type of manner to interact with the Consumer API?

The API project I'm working on is accessed via an API the Partner has implemented. This "sync" process for Accounts/Transactions can be triggered after a User has logged into their system (which happens when the User signs into their Banno account) but it can also be triggered on a scheduled basis all of which the User is not present to authenticate themselves in Banno. Additionally, since this API is necessarily invoked in conjunction with the User accessing Banno I would not be able to "share" the access token across the line.

The Authentication Framework and Consumer API Framework docs don't seem to point out anything along the lines of what I'm looking for in order to achieve this background service type of operation so I'm not sure if this 1) possible 2) if possible, how to go about implementing this.

Answer 1

It's a bit challenging to understand the full scope without some sort of visual aid (like a Sequence Diagram), but I think I understand what you might be looking to do. Apologies in advance if I've interpreted the question incorrectly.

The Authentication (Node.js Example) might give a good idea of how to accomplish your integration. It doesn't go quite as far as what you're looking to do, but it has the foundation for the follow-on next steps.

That quickstart page uses the Consumer API OpenID Connect Example project from GitHub to simulate what it would be like to have an outside system connect to Banno's Consumer API. Unlike the Plugin Framework's example projects which are meant to render inside of Banno's UI, the Consumer API OpenID Connect Example project has its own UI that defers to Banno for the auth part of the UI flow but otherwise renders itself outside of the context of Banno's UI.

Please note the https://api.banno.com/consumer/auth/offline_access OAuth scope that's included as part of the example code. The Authentication Framework / Overview / OpenID Connect and OAuth 2.0 page describes what that scope does, which is it requests that a Refresh Token be issued as part of the OAuth flow.

Our Access Tokens have a limited lifetime from when the Access Token was issued. Once that Access Token expires, you either need to A) start the authentication flow again with a user present or B) exchange a Refresh Token for a new Access Token.

Option B does not require that the user have a live session nor be present. Please note that the only way you would get the tokens to begin with is to have the user present at some point in the process, though. The Permissions Flow page shows what the Consent Experience is like for apps which want to connect in this manner.

We have a guide on Refresh Tokens that will be useful to understand the process for requesting a Refresh Token as well as exchanging a Refresh Token for a fresh Access Token.