Supporting Open Banking

Listening for the OAuth signal

• iOS: The SDK will listen for the signal and launch the system browser when needed.
• Android: The SDK will listen for the signal and launch the system browser when needed.
• JS SDK: When used in a browser the OAuth flow will be handled automatically. If integrating in a
  different context when instantiating the SDK, provide the openBankingRedirect option with
  your custom app scheme or universal link. Once an OAuth flow is triggered, a message will be posted to
  the window with a type property of oauthUrl and a url property
  containing the URL that needs to be launched.

Chase Bank cuts off redirects that are initiated through a WKWebView instance. A consent URL should be launched from within a native browser. The URL should not be launched from within unsecured containers that allow the mobile app to intercept user input, and thus intercept user credentials.

Below is an example of the changes required for integrations utilizing React Native. If you use another cross-platform framework, implementation of this change will vary.

If your React Native app is currently opening the consent URL within an instance of WebView, you need to make code changes in your integration.

To ensure your integration will meet the requirements, take the following steps:

1. Ensure you are able to receive events in React Native from the WebView

window.addEventListener('message', (event) => {
    window.ReactNativeWebView.postMessage(JSON.stringify(event.data));
}, false);

2. Handle the message event, looking for an event with a type property of `oauthUrl`. Once the message is received, open the URL supplied on the `url` property in the native browser.

onMessage={message => {
    const {type, data} = JSON.parse(message.nativeEvent.data);
    if (type === 'oauthUrl') {
        Linking.canOpenURL(data.url).then(supported => {
            if (supported) {
                Linking.openURL(data.url);
            } else {
                console.log("Don't know how to open URI: " + data.url);
            }
        });
    }
}}

3. After the user has logged in, they will be sent back to your app’s scheme or universal link that you have previously configured, and the flow will resume.

Continuing to open the consent URL from within a WebView instance will result in blocked request from Chase along with many other data providers due to security vulnerabilities.

Handling the return signal

The webview will continue polling while the user is going through the OAuth flow. The webview should not be
destroyed when the OAuth URL is launched and should be returned to the screen once the return signal is
received.

External Documentation

Setting up custom scheme

• iOS:
  Defining a Custom URL Scheme for your app
• Android:
  Create Deep Links to App Content
• React Native:
  Deep linking

Setting up Universal Link

• iOS:
  Supporting Associated Domains
• Android:
  Create Deep Links to App Content,
  and
  Verify Android App Links
• React Native: See above
  (Deep linking)

Testing Open Banking

To test enrolling via open banking, search the institution list for “DAG OAuth” and use the following credentials: