Banno Plugin Session Maintenance with Cookies

Question

In a previous post from January 2022 (Plugin authentication not automatically completing when refreshed after a delay), it was discussed that maintaining authentication in a plugin card "almost exclusively uses a cookie", however the current documentation (https://jackhenry.dev/open-api-docs/plugins/overview/authentication/) discusses the issues with using cookies within the iframe and essentially provides that to effectively use a cookie created by the plugin card you must either A) have the user enabled third-party cookies which is not advised or practical for production or B) run your plugin card from a subdomain of hosting FI's home banking domain which would require more configuration on the part of the FI.

A couple of questions:

1. The context of maintaining the session in the January 2022 post was about avoiding re-authenticating the user each time the plugin card loads. It appears that the card reloads every time a user navigates to a different section of home banking and returns to the dashboard. If the use case for the cookie is only to avoid reauthentication of the plugin, does it matter (can we simply re-authenticate) so long as it is invisible to the user?

2. Since the previous recommendation for session maintenance was a cookie which seems to have been complicated by updates to browsers and their blocking of third-party cookies over the last couple of years, are you seeing plugin creators require FI's to configure custom subdomains to be able to use their plugin? Is that something FIs are going to be accustomed to doing when setting up a plugin? This would require DNS configuration on the part of the FI which would be more complicated for them than simply setting up the External App and Plugin in Banno People. Just looking to confirm if that is the new normal and something FIs expect when enabling plugins.

Answer 1

The browser makers are tightening up / locking down 3rd party cookies so the path forward is to have folks configure the plugin to be at a subdomain of the Banno Online domain mame for the financial institution, per https://jackhenry.dev/open-api-docs/plugins/overview/authentication/ (which you've noted in your question).

As to whether or not a particular financial institution is accustomed, today, to do such a thing is going to depend a lot on which plugins they've built themselves or installed from 3rd parties like fintechs. With that being said, the changing landscape of the browsers themselves will naturally result in more financial institutions needing to become accustomed to setting up subdomains for their plugins (or at least the ones which require cookies to operate).

In terms of managing your own session and needing to re-authenticate the user, that should be fine to do and largely invisible to the user if you're diligent about:

• maintaining your own state
• recognizing a user needs to reauthenticate, and redirecting them to a Redirect URI which is valid and configured for your External Application
• using your state to return the user to where they were, after the reauthentication flow ends