OAuth Guide


Some institutions, such as Chase and Bank of America, require OAuth login authorization flows in which the user is directed to that bank's login page before returning to the Trustly Lightbox. If OAuth login authorization flows are not intentionally handled during integration, users may not be able to connect their accounts successfully.

Additionally, it is important to consider that as additional banks migrate to OAuth standardized login flows, additional work may be needed to update this style of implementation. To minimize future maintenance and simplify the Lightbox integration, Trustly recommends using one of the official Trustly native mobile SDKs for iOS and Android.

OAuth User Flows

Although the Trustly Lightbox works in an OAuth-like pattern by authorizing a user, then redirecting the user back to the originating app, for banks that require OAuth login, there is an additional redirect that must be handled. The graphic below demonstrates this:

OAuth Oveview Diagram

This behavior does not require any additional handling when a user visits your app from a traditional web browser as the OAuth flow is handled by the web browser simply opening a new browser window, then closing that window and returning the user to the initial window. However, a Webview within a mobile app does not have the same functionality as a fully-featured web browser, therefore additional steps must be taken to handle the workflow.

OAuth Between Mobile Apps

Banks that require OAuth login often also support OAuth through their official app as an alternative to login via a web browser. This auth pattern is referred to as “App-to-App”. Trustly prefers to use App-to-App login when available.

Particularly for services such as banking, users often have their bank’s mobile app installed on their device and often have enabled biometric authentication (such as FaceID or fingerprint). Because of this, users have become accustomed to opening their Bank’s app to pass through an OAuth login flow rather than open a browser and load a password manager or enter their password manually.

This “App-to-App” login pattern is a recognized best practice and is supported through Trustly’s native mobile SDKs. The easiest way to delivery this user experience is to integrate with Trustly through our Android or iOS SDKs. However, as mentioned before, for apps that use a hybrid-platform architecture or must utilize the Javascript SDK in a web page for other reasons, the Webview guide outlines how this can be done accurately.

Note: Test this login flow with your application by downloading Trustly's OAuth Demo Bank mobile app. Read more in the Testing guide.

Deep Links

Registering a Deep Link (often referred to as a URL Scheme) for your application is required to support OAuth. During bank authorizations, this URL is passed to Trustly in order to successfully return the user to your application after the OAuth process is complete. More information on deep links can be found at the resources below: