Please, do not share your card details with anyone. Note that FIB never ask you for such information.
First Iraqi Bank is a fully digital bank launched in Iraq in 2020. We offer services to our customers following international security and compliance standards as it is our ambition to change banking in Iraq. For our partners, we offer services whenever trust is needed. The first online use cases are our SDK payments and our single-sign-on method. With these two packages, you can make use of First Iraqi Banks infrastructure to offer a convenient login and payment method to your customers. With our FIB SSO customers can easily authenticate themself and you can benefit that we prove who our customers are during our onboarding process following international standards. By that, you also know that you can trust your customers that they are not any suspicious persons or parts of terror networks.
We would like to preserve user data as much as possible and hence we would provide access to the following data after user confirmation:
1. Phone number; 2. First Name in arabic; 3. Last Name in arabic; 4. IBAN.
FIB offers 2 environments: sandbox and production. Sandbox has the same settings as production environment, but it is dedicated for integration purposes.
You need to have access to our environments to integrate with Login with FIB functionality for which you will need the following details:client_id ,client_secret ,SSL Certificate .
client_id
client_secret
SSL Certificate
CurrentlyPay with FIB isoffline payment type. In future releases it will be upgraded toonline type with full options related to this type.
Pay with FIB
offline
online
Partner must successfully complete registration form and comply with the response instructions:
Firstly, please register your company as a partner.
Our environments are only accessible with an SSL certificate. We will prepare a dedicated SSL certificate for your company and we will provide it to you together with clientId and clientSecret after successful registration. Along with the environment access, you will get all FIB buttons and graphics.
Please install SSL certificate on your machines.
If you already have access to our environment, then please proceed further, following the steps below.
In case you need further details, please reach out to us by filling out this FIB Integration Request Form and including your questions in the Details section.
To be able to access the user’s data on behalf of him, you need to obtain a list of tokens (access_token andid_token ). In this section we will describe how to do it.
access_token
id_token
We are fully compliant with OIDC.
OIDC defines multiple flows for obtaining valid access token. In FIB we use the Authorization Code flow.
The flow is presented at the diagram below.
Prerequisite for this stage is the addition of Login with FIB button to your login page. That button should be sent to you after registration as a partner.To start login process please send following request.
Code Example
GET /auth/realms/fib-personal-application/protocol/openid-connect/auth?response_type=code&client_id={client_id}&scope=openid&redirect_uri={redirect_uri}
response_type : Required. Must be sent tocode .
response_type
code
client_id : Required. Theclient_id should be provided to you after successful registration as a partner.
scope : Optional. We only supportopenid scope. If you ask about different scope, then your request will be rejected.
scope
openid
redirect_uri : Optional. Where theauthorization_code will be sent. This value must match one of the values provided during your partner registration.
redirect_uri
authorization_code
state : Optional.
state
If the request was correct, then the FIB login page will be displayed to a user. The user should enter proper credentials, i.e. phone number and password.
User can click on theBack to Partner button . Then it will be redirected back to your website. If user click on theLogin button, then two different scenarios are possible:
Back to Partner button
Login
1. If that is a first login, then the consent page will be displayed to the user.
The user may or may not decide to grant access to his personal data.If the user grant access, thenauthorization_code will be sent toredirect_uri . Please refer to the next steps → Step 2.If the user does not grant access, then the response will be sent toredirect_uri with error message as a parameter.
[your_redirect_uri]/redirect?error=access_denied
2. In case of repetition of the Login process, the consent screen would no longer be shown and theauthorization_code will be sent toredirect_uri right after login. Please refer to the next steps → Step 2.
Theauthorization_code is sent to the URL which is provided in your first request as aredirect_uri parameter.
Please handleauthorization_code properly. It will be sent to you in the following format.
[your_redirect_uri]/?code=8b874631-335c-4ea1-ab0f-16f09b6d30bb.c5969e06-35c2-407a-b14c-27ed110fe1a2.4c39f090-0257-41c2-ab53-4227a8a3deac
As you can see, theauthorization_code is a string. You can use it to exchange it with tokens. To do it, please send following request.
POST /auth/realms/fib-personal-application/protocol/openid-connect/token HTTP/1.1 Content-Type: application/x-www-form-urlencoded client_id=[your_client_id] &client_secret=[your_client_secret] &grant_type=authorization_code &code=[authorization_code] &redirect_uri=[redirect_uri]
client_secret : Required. Theclient_secret should be provider to you after successful registration as a partner.
grant_type : Required. Must be set toauthorization_code .
grant_type
code : Required. Theauthorization_code received in the redirect above.
redirect_uri : Required. This value must match one of the values provided during your partner registration.
If you send proper request, the FIB SSO will send you a response with list of tokens. Please refer to the next steps → Step 3.
If you successfuly decodeid_token , you should see its real structure.
{ "exp": 1596529813, "iat": 1596529513, "auth_time": 1596529503, "jti": "465fb2cd-d04e-480e-a94e-974fc5c05a4e", "iss": "https://keycloak.stage.azure.lawrence-spring.com/auth/realms/fib-personal-application", "aud": "sso-client-mock", "sub": "6a0b445a-b42c-4739-a65c-d669332bc1a9", "typ": "ID", "azp": "sso-client-mock", "nonce": "Kqxg9IcNjjSjmKN1qmXB0t60rWPAtafnK8bvumzYpeY", "session_state": "e573d23c-7a2d-499f-a043-5a16468f06f6", "acr": "0", "phone_number": "+48666605805", "given_name": "Piotr", "family_name": "Jasiński" }
DecodedID token contains following information about user:Unique identifier of the user — available undersub > field;first name — available undergiven_name field;last name — available underfamily_name field;Mobile number — available underphone_number field. field.
ID token
sub >
given_name
family_name
phone_number
There is no difference between Login with FIB and Register with FIB from the FIB perspective. We will provide both buttons (login and register) after registration as a partner. Please decide how you want to implement it:use one button for login and for registration (the registration is done behind the scene);use two different buttons: One for login, second one for registration.
Anyway, to register new user please use information fromid_token . If you decodeid_token (as presented above), then you should findsub field. field. It is unique identifier of the user. Please note thatid_token will be returned only if you request aboutopenid scope.
sub
Use identifier fromsub field to register user in your database. If user will try to register one more time, you can use that field to check if it already exists in your database. Accordingly, for login functionality, you can verify if the user exists in you database, and if not you can register him or throw an error.
Unique identifier of the user (sub ) never changes.
FIB provides three types of tokens:
refresh_token
Access Token is a part of OAuth2.0 protocol flow.In FIB it is JWS (JWT with signature) object.
An exampleaccess_token looks like the following.
{ "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJPdjBsNEJGOVRmVDlWNTEtVjZBeTRmYlVoQ0dMbTZXUVpxcXQ4S3lLOGhnIn0.eyJleHAiOjE1OTY1Mjk4MTMsImlhdCI6MTU5NjUyOTUxMywiYXV0aF90aW1lIjoxNTk2NTI5NTAzLCJqdGkiOiI3YTU2MWUzNC1jNjk4LTRhYzMtYmQyYS05ODQyMTA0NmM3NjIiLCJpc3MiOiJodHRwczovL2tleWNsb2FrLmRldi5henVyZS5sYXdyZW5jZS1zcHJpbmcuY29tL2F1dGgvcmVhbG1zL2ZpYi1wZXJzb25hbC1hcHBsaWNhdGlvbiIsInN1YiI6IjZhMGI0NDVhLWI0MmMtNDczOS1hNjVjLWQ2NjkzMzJiYzFhOSIsInR5cCI6IkJlYXJlciIsImF6cCI6InNzby1jbGllbnQtbW9jayIsIm5vbmNlIjoiS3F4ZzlJY05qalNqbUtOMXFtWEIwdDYwcldQQXRhZm5LOGJ2dW16WXBlWSIsInNlc3Npb25fc3RhdGUiOiJlNTczZDIzYy03YTJkLTQ5OWYtYTA0My01YTE2NDY4ZjA2ZjYiLCJhY3IiOiIwIiwic2NvcGUiOiJvcGVuaWQifQ.Ds_k_CTm9jNm2jc7khADyBWzaj0HvX8_ieefl6p_9lzFuRdKhC8SSLNxde_JHoHX9AG9VHylVHM0MtoRDTiv2J0uEd8LQOZ4EuPCb6SVm4oah3bjZtL8D5gdhiL0fP114MY5oTKFFW_Mv-681Vd6acyUVYqBKG_vrsSYkkX_NNmj-_Gq6WM5AKS4PdqHvrPdZcn5KAoq0Y7WvhOseM2hq11KE8NUBpkRQRdc3rIYRfeRjDulKSswOozg7-e9FmT9rBw2Cb65Hx3kYl-SDROaTWZjYfiHLaiVTU7luxPy4Et-fd6_axrutp139yoq1dR3kzF-q-y1-AX0HSziDUekig" }
Refresh Token is a part of OAuth 2.0 protocol flow.It is also the JWS object (the same asaccess_token ).Please use it to get a new oneaccess_token in case when the current one has expired. Please follow OAuth2.0 in case when the current one has expired. Please follow OAuth2.0
An example refresh_token looks like the following.
{ "refresh_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJPdjBsNEJGOVRmVDlWNTEtVjZBeTRmYlVoQ0dMbTZXUVpxcXQ4S3lLOGhnIn0.eyJleHAiOjE1OTY1Mjk4MTMsImlhdCI6MTU5NjUyOTUxMywiYXV0aF90aW1lIjoxNTk2NTI5NTAzLCJqdGkiOiI3YTU2MWUzNC1jNjk4LTRhYzMtYmQyYS05ODQyMTA0NmM3NjIiLCJpc3MiOiJodHRwczovL2tleWNsb2FrLmRldi5henVyZS5sYXdyZW5jZS1zcHJpbmcuY29tL2F1dGgvcmVhbG1zL2ZpYi1wZXJzb25hbC1hcHBsaWNhdGlvbiIsInN1YiI6IjZhMGI0NDVhLWI0MmMtNDczOS1hNjVjLWQ2NjkzMzJiYzFhOSIsInR5cCI6IkJlYXJlciIsImF6cCI6InNzby1jbGllbnQtbW9jayIsIm5vbmNlIjoiS3F4ZzlJY05qalNqbUtOMXFtWEIwdDYwcldQQXRhZm5LOGJ2dW16WXBlWSIsInNlc3Npb25fc3RhdGUiOiJlNTczZDIzYy03YTJkLTQ5OWYtYTA0My01YTE2NDY4ZjA2ZjYiLCJhY3IiOiIwIiwic2NvcGUiOiJvcGVuaWQifQ.Ds_k_CTm9jNm2jc7khADyBWzaj0HvX8_ieefl6p_9lzFuRdKhC8SSLNxde_JHoHX9AG9VHylVHM0MtoRDTiv2J0uEd8LQOZ4EuPCb6SVm4oah3bjZtL8D5gdhiL0fP114MY5oTKFFW_Mv-681Vd6acyUVYqBKG_vrsSYkkX_NNmj-_Gq6WM5AKS4PdqHvrPdZcn5KAoq0Y7WvhOseM2hq11KE8NUBpkRQRdc3rIYRfeRjDulKSswOozg7-e9FmT9rBw2Cb65Hx3kYl-SDROaTWZjYfiHLaiVTU7luxPy4Et-fd6_axrutp139yoq1dR3kzF-q-y1-AX0HSziDUekig" }
ID token is a part of OpenID Connect Core 1.0.It is the JWS object.Please use it to get information about the user.
An exampleid_token looks like the following.
{ "id_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJPdjBsNEJGOVRmVDlWNTEtVjZBeTRmYlVoQ0dMbTZXUVpxcXQ4S3lLOGhnIn0.eyJleHAiOjE1OTY1Mjk4MTMsImlhdCI6MTU5NjUyOTUxMywiYXV0aF90aW1lIjoxNTk2NTI5NTAzLCJqdGkiOiI3YTU2MWUzNC1jNjk4LTRhYzMtYmQyYS05ODQyMTA0NmM3NjIiLCJpc3MiOiJodHRwczovL2tleWNsb2FrLmRldi5henVyZS5sYXdyZW5jZS1zcHJpbmcuY29tL2F1dGgvcmVhbG1zL2ZpYi1wZXJzb25hbC1hcHBsaWNhdGlvbiIsInN1YiI6IjZhMGI0NDVhLWI0MmMtNDczOS1hNjVjLWQ2NjkzMzJiYzFhOSIsInR5cCI6IkJlYXJlciIsImF6cCI6InNzby1jbGllbnQtbW9jayIsIm5vbmNlIjoiS3F4ZzlJY05qalNqbUtOMXFtWEIwdDYwcldQQXRhZm5LOGJ2dW16WXBlWSIsInNlc3Npb25fc3RhdGUiOiJlNTczZDIzYy03YTJkLTQ5OWYtYTA0My01YTE2NDY4ZjA2ZjYiLCJhY3IiOiIwIiwic2NvcGUiOiJvcGVuaWQifQ.Ds_k_CTm9jNm2jc7khADyBWzaj0HvX8_ieefl6p_9lzFuRdKhC8SSLNxde_JHoHX9AG9VHylVHM0MtoRDTiv2J0uEd8LQOZ4EuPCb6SVm4oah3bjZtL8D5gdhiL0fP114MY5oTKFFW_Mv-681Vd6acyUVYqBKG_vrsSYkkX_NNmj-_Gq6WM5AKS4PdqHvrPdZcn5KAoq0Y7WvhOseM2hq11KE8NUBpkRQRdc3rIYRfeRjDulKSswOozg7-e9FmT9rBw2Cb65Hx3kYl-SDROaTWZjYfiHLaiVTU7luxPy4Et-fd6_axrutp139yoq1dR3kzF-q-y1-AX0HSziDUekig" }
To logout you can use the following URL.
[env_url]/auth/realms/fib-personal-application/protocol/openid-connect/logout
Following guidelines should be kept in mind when designing the login button on the partner screensDownload the guidelines using the following link .
Thank you! We will get back to you shortly.
This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.
