2. Why OAuth is NeededBanks on which consumer
has accounts
Consumer
Financial Aggregator
Maintains the Summary of
Balance of all the three
bank accounts
3. Problem Statement
• The Aggregator (Mint.com) needs limited
information from the bank accounts.
• The Simple but inefficient (possibly) dangerous
way would be for Mint.com to store the
consumer’s username & password for all three
bank accounts.
• But this gives Mint.com more information than
the user may want to give. Mint.com doesn’t
need all account transactions just to maintain the
account balances.
4. OAuth 2.0 CallFlow
1.Registers as an application to BOFA (Passes Client Redirect URL)
2. BOFA accepts Mint as Authorized Application Provider (Sends back ClientID, Client_ Secret)
3. Tries accessing Mint.com for BOFA data
4. Mint.com does not have access_token to get BOFA
information for the user. It passes on 5. A popup is opened which points
(Passes the auth_url , redirect_url, client_id) to the auth_url i.e. BOFA site
6. Sends back RedirectURL with
authorization_code. The RedirectURL is the same as supplied in
Step 1 by Mint.com
7. Passes Back the authorization code to Mint.com via the
Redirect URL.
8. Calls the BOFA Apis with ClientID, ClientSecret and the authorization code recerived in Step 7
9. Generates an access_token for Consumer’s account access. Mint,com can simply use this access_token for
future access of Consumer’s account data until token expires
*All transactions
happen over SSL