Widget Security

Moneyhub widgets utilise OpenID Connect Dynamic Client Registration in order to create a separate client for each instance of a widget. This client can only be used to perform actions within it’s restricted set of scopes and access data that is directly associated with it. Following an authentication flow the client is only able to redirect back to an address at the domain that has been specified when creating the widget.

When a widget is initialised it will create a new JSON Web Key which is stored locally in the browser. This JWK is associated with the client and used to sign each request. Since we do not ask for any credentials from the user to register, it means that when the browser session ends and the JWK is deleted, it is no longer possible to use the client to make any requests.

For widgets such as affordability, where we allow users to link accounts, we then provide access to that data via another client that has been specifically setup for this purpose.