# Login Flows source: https://developer.mastercard.com/open-finance-europe/documentation/licensed/aiia-enterprise/connect/login-flows/index.md Aiia Enterprise handles Supervised Logins through the Third Party Provider (TPP) authentication process, which guides the user through the process of selecting and logging into a Account Servicing Payment Service Provider (ASPSP). To connect to ASPSPs through the API, a Payment Service User (PSU) needs to be authenticated. During initial TPP authentication, the PSU performs a [Supervised logins](https://developer.mastercard.com/open-finance-europe/documentation/licensed/aiia-enterprise/connect/supervised/index.md). The PSU requests the client to connect to the ASPSP and they enter their credentials. Post initial authentication, the TPP can access the service using an [Unattended logins](https://developer.mastercard.com/open-finance-europe/documentation/licensed/aiia-enterprise/connect/unattended/index.md), where the user's credentials are stored and in turn used for automatic authentication without the user's intervention. Not all ASPSPs however support unattended logins Two types of login flows are supported: * [Supervised logins](https://developer.mastercard.com/open-finance-europe/documentation/licensed/aiia-enterprise/connect/supervised/index.md) happen with the user present, and requires them to provide their credentials to authenticate. * [Unattended logins](https://developer.mastercard.com/open-finance-europe/documentation/licensed/aiia-enterprise/connect/unattended/index.md) are performed using a `loginToken` which contains the user's stored credentials. This does not require the user to be involved. When a user connects to a provider for the first time, a [Supervised login](https://developer.mastercard.com/open-finance-europe/documentation/licensed/aiia-enterprise/connect/supervised/index.md) is needed see Connecting to the [API Authentication](https://developer.mastercard.com/open-finance-europe/documentation/licensed/aiia-enterprise/api-basics/api-authentication/index.md). Whenever a login is performed, it generates an `accessToken` and a `loginToken`. The `loginToken` can be used for subsequent unattended logins. Unattended logins are supported for a `loginToken` if the flag `supportsUnattended` is true. Unattended logins can fail if there are problems with the user's credentials or if the user needs to re-authenticate towards the provider. It is important to note that the `loginToken` must be maintained regardless, and sent when re-authenticating the user using a [Supervised login](https://developer.mastercard.com/open-finance-europe/documentation/licensed/aiia-enterprise/connect/supervised/index.md). Note: The `loginToken` is always created, even if the provider does not support unattended logins. Be sure to check `supportsUnattended` to see if the token supports unattended logins. This is an example response when calling `/v1/authentication/tokens` or `/v1/authentication/unattended` with a valid code: ```json { "success": true, "session": { "expires": "2019-01-23T13:30:07.1389724+00:00", "accessToken": "mgAAAAVDaXBoZXJ0ZXh0AGAAAAAA69Csw1VJ3snS4yDpfbxkSi24XPA88dmRGTtuzAcPVHrUHz0EnV97mDfCtL9vJauLg8GUs5hLaQO3unwDzm2YZx7Q6yNfXlh8/6hx2EIGE21O3abi11+nRgu19x+5HXwABUl2ABAAAAAAdR+4hq3HXxUdwszLM8VP2RBLZXlJZAAAAAAAAA==" }, "login": { "providerId": "DemoBank", "expires": "2019-07-25T13:20:07.141971Z", "loginToken": "-ELT2-CgQAAAVDaXBoZXJ0ZXh0ANADAAAATNw5KNeoZU+ApQjbJkKb++e3sc+6QBLIJp9RDwHILusjnZfSYEgzvaMMuXY4uikdfPelN4ZPJ6AqHakI3aBx3hYZti2D6HsuV35UTi4TiZOfAJB6ol7S52P7rPAIowV9/bk3+mHtDXFAtjanbAQuKtKBbj8ETED1SP9SjPAtW/Bcv0VzRljb8jMgzp2/4W7BLBascLrElJY038PQX4kJBdK5pL+3wnp5mHaLDoeXodMnIgYy3GRU5UjrpjSRXIdbkhGunoH+3OuPXhQU/TKZW9AECQJxcp36YUIcg0BfcJdOpcJ7hSJPUwYnTXk4xmnpXkE+Z9fL1QZ77Kc44AULMG3sLZE+DrJw7Zf5nVa3mLGOBxCUWK/EtVErTqub/uXqj9Le1oQa8K1AUvmkHCcHtcCklVjTqend15oC2tP1MO1JlBHfqSjcuX9yb5BA1LhOWCfJAZbj0cAbbMA1rRoONA+EzWSP1zvenyB9UvDGAuPweWa1mDJAfDRExvI4ZE2KAAHVSM6Rk9wrbYpGuz878BM03SDc6g4/hYKPt/Y4UUaQtzDc9wwgX9oaApx+HG7pUfjNIQei80FrTXPN5aDnR1623xtCjlV4az35jdPk998yH8UHfzgeSoOzDs8z18UoumVS9IjclAWVisao8rptuhrDMEH44H1fqH6rBNYGNItFpTXrAkhnxyDsSupIZj6SAFxcWbFIqzd1E4GePGBspQGeQKYgi/tMHbvZ9CSc9rOmn5w0sG5YXa9LkBx573eKnQzcPLIJzgnGFxSKi6oqvm7A3nDbAEimjSutpfFB1snhFnDdmOIyTkYOVjju7MMvUT4NLY1MCPZEtsbsrq+uDNpxeBMFFADx+WdYJcNL9xIvcF18us842wgDwwQOWIsd5wgJgfKYPihu4fEAaHO9rYL34vRIT8TfouIZOO735+B1vkcXJ3QiEmwQ0f5dAHAxMP3OkdaCGtm2zdWEbRzfEquc5Nz1Te6seLzMc7avDa3/j7kN9h/+gIXYC5N3kpYPNsJiKvKmHRZZh6Un2x/c+A7b/VbPI88QfyNShm+8//+GTBLjHveNvd9QVJgEM01Kbxa/LP+P9BOLZBehJ4g6QUW4ylzh5jGGOHMuTf+wJGCr6W8xWSZXEqw2eOO2iC11fBfvVJAxd3FYRVEtZN+iX4ZpSfiJpwtDqy0BeU18n7nAXmk95GWwPnKgzH1abGH42ylFu3mGnEGy+SX7hSK/WlcbshTnrXiWa+Amt+cO49UGwkQRfbyxjYHjZnE21K66qjZpdIvqppB91bsIvr6X6QVJdgAQAAAAAIy7KH/qCocWCr989JWWgMAQS2V5SWQAAAAAAAA=", "supportsUnattended": true, "label": "DemoBank 1/23/2019 1:12:33 PM", "subjectId": "dc757223d2afb208283aee8bdc58976233fdc6cd259874a231875d8e9c7ae03a" }, "providerId": "DemoBank" } ``` #### Access Token {#access-token} The `accessToken` is used to access the user's data through session endpoints. For example when fetching the user's accounts and transactions. The `accessToken` is a part of the `session` JSON object which is returned when calling the token endpoint. This object has the following properties: | **Name** | **Type** | **Description** | |---------------|------------|--------------------------------------------------| | `expires` | `datetime` | Expiry date of the user's login session | | `accessToken` | `string` | Token for accessing the user's session endpoints | #### Login Token {#login-token} A `loginToken` contains information about the user's credentials which are necessary for subsequent logins. The `loginToken` is an encrypted string that can only be read by Aiia Enterprise. A `loginToken` can be used for [unattended login](https://developer.mastercard.com/open-finance-europe/documentation/licensed/aiia-enterprise/connect/unattended/index.md) if `supportsUnattended` is `true`. Even though if an unattended login is not possible for a provider, the `loginToken` can contain some of the credentials and additional identifiers (e.g. device ID), which makes subsequent *supervised logins* simpler than the initial *supervised login*. The `loginToken` is part of the `login` JSON object which is returned when calling the token endpoint. This object has the following properties: | **Name** | **Type** | **Description** | |----------------------|----------------------|-------------------------------------------------------------------------------------------------------------| | `providerId` | `string` | Provider ID | | `expires` | `datetime` | Technical expiry date of the token | | `loginToken` | `string` | Token for accessing the user's session endpoints | | `supportsUnattended` | `boolean` | Whether this login token can be used for unattended login | | `label` | `string` | Human-readable label that can be shown to the end-user | | `subjectId` | `string` | An id generated by Aiia Enterprise to identify for which end-user and/or agreements a `loginToken` is valid | | `aisScaExpires` | `datetime`, nullable | Expected time of re-authentication, if known | In many cases, the `loginToken` subsequently allows logins without requiring the user to enter their credentials again. These are called unattended logins. For example, if you want to update the user's data automatically in the background and fetch new data on a daily basis. Not all providers support unattended logins. But a `loginToken` is always issued as it contains required information for subsequent logins. Warning: Login tokens can only be used once. Upon each new login, a new `loginToken` is issued so remember to store the most recent `loginToken` for every user. Warning: If a `loginToken` expires, it cannot be used again and must be discarded. The expiry is a technical constraint to ensure that encryption keys can be changed at regular intervals. Note: Login tokens have variable size, but less than 100KB. Therefore, it must be stored in variable long text fields. In practice, it is often less than 10KB. #### Technical Expiry and SCA Expiry {#technical-expiry-and-sca-expiry} It is important to understand the difference between the two different expiry fields for Login Tokens: * **Technical expiry** (`login.expires`): Time of last login towards Aiia Enterprise (Unattended or Supervised) + 6 months. This field is always set and always updated on succesful logins. This value should not be shown to the end user. By ensuring logins are always performed within 6 months, you will never hit this expiry. * **Expected time when re-authentication is needed** (`aisScaExpires`): Optional field. If set, this is typically the time of last SCA towards the bank for allowing access to Account Information + 90 days. This is only set if the provider in question requires a re-authentication at a known future time. This value can be shown to the user to indicate when the user will need to take action. Generally, re-authentication is something that might happen at any time, but it is not known up front when it will happen. Unattended Logins handle this by requiring supervised logins whenever re-authentication is needed.