This page describes the interaction between customer’s web application(s) server(s) and {{label:productName}}.
The whole traffic between application server and {{label:productName}} server occurs under HTTPS.
Available interactions are:
{{label:productName}} input supports:
The server is contacted by web application through the URI https://base/server:action/lpublic=public-token, e.g.: https://fastauthentication.com/server:book/lpublic=555-b79c58bf116303b3
Available actions are book (to book an authentication session), verify (to verify an authentication status).
The possible input formats are json and HTTP POST (UTF-8 encoded POST data).
Regardless of the format, the content must be a set of keys/values, e.g.:
json: { "key1":"value 1", "key2":"value 2", …}
In order to book an authentication session application server must contach {{label:productName}} server.
The URL to POST is: https://base/server:book/lpublic=public-token
Parameters that can be used, with both HTTP POST or JSON POST, are:
E.g.: post to https://base/server:book/lpublic=967-badae3567f630b60 a JSON like this:
{ "lprivate" : "dcdd5e57e888ac904dc009d18c1ea89c59889c3e68bfb3f7", "lcallback" : "http://mycompany.com/myapp/auth.php?type=success", "lcallbackfail" : "http://mycompany.com/myapp/auth.php?type=failure" }
Or the equivalent HTTP POST:
lprivate=dcdd5e57e888ac904dc009d18c1ea89c59889c3e68bfb3f7&lcallback=http%3A%2F%2Fmycompany.com%2Fmyapp%2Fauth.php%3Ftype%3Dsuccess&lcallbackfail=http%3A%2F%2Fmycompany.com%2Fmyapp%2Fauth.php%3Ftype%3Dfailure
If the booking process is succesful (server public/private keys match), the response will be a JSON like this:
{ "client" : { "auth" : "authentication-URI", "reauth" : "authentication-URI" }, "server" : { "verify" : "verification-URI", "append" : "parameter-name" } }
The meaning is:
Once the authentication session has been booked redirect user’s browser to the appropriate response.client.auth
or response.client.reauth URL, e.g.: https://base/auth:index/ltoken=token
Once tha authentication process is complete, user’s browser will be sent to customer’s “lcallback” URI.
It will be a GET request, added with the “lauthsession” parameter.
“lcallback” parameter can be declared at “book” level, if not it will default to “lcallback” parameter defined at customer level.
The “lcallback” parameter is a string representing a complete URI.
Starts with protocol (hopefully “https”), can use GET parameters as well as an “#” part.
At user redirection a parameter is added for “lauthsession” code.
There is the option to use the literal text “{{token}}” within “lcallback” string to identify auth-session-token.
In this case response.server.append is valued “{{CustomURI}}” and no longer used, while the
“lauthsession” value replaces “{{token}}” text in callback URI without any other consideration.
This syntax allow the parameter to be part of URI, GET parameters as well as of “#” hashmap, e.g.:
The value of the token will be the “lauthsession” value necessary to verify the actual authentication.
Once authentication process is over, if succesfull user’s browser will be redirected to customer’s application server at the “lcallback” URI.
The “lauthsession” parameter will be added (GET) to such URL, this parameter is named in response.server.append described above (in «book»).
Append such parameter value to response.server.verify URL returned by «book» process and issue a POST request to verify the actual authentication.
The resulting URL to POST will be something like: https://base/server:verify/lpublic=public-token/lauthsession=auth-session-token
It’s mandatory to add the “lprivate” parameter valued with your server’s private key.
You can use json or HTTP POST (UTF-8 encoded POST data) to add it.
Optionally HTTP POST data or JSON POST data could also contain the “lauthsession” pair key/value, in this case it’s not necessary to report it in URL. E.g.:
URL: https://base/server:verify/lpublic=public-token HTTP POST data: lprivate=lprivate server key&lauthsession=lauthsession token or JSON POST data: {"lprivate":"lprivate server key","lauthsession":"lauthsession token"}
The response will be a JSON like one of these:
{ "status":"success", "authenticated": { "ldisplay":"identity string", "lidentity":"identity details", "ltype":"id-type, e.g: email" } "verifiedby": { "ldisplay":"identity string", "lidentity":"identity details", "ltype":"id-type, e.g: email" } }
{ "status":"failure", "error":"description" }
The «error» key is included always and only in case of authentication failure.
The «authenticated» and «verifiedby» keys are included always and only in case of authentication success.
Both «authenticated» and «verifiedby» are valued with:
In both cases more informations could be included.
In case of error additional fields could be used for debugging, while in case of successful authentication you could have:
{ "status":"success", "authenticated": {"lidentity":"identity","ltype":"id-type, e.g: email"}, "name":"Person name, e.g.: John Doe", "alt":[ {"lidentity":"identity","ltype":"id-type, e.g: email"}, {"lidentity":"identity","ltype":"id-type, e.g: email"} ], "xFastAuthentication":{ "authID":"UUID", "personID":"UUID" } }
Optional additional properties are:
All the additional/alternative identities provided with “alt” have been verified.
In case your web application cannot accept the authenticated identity it’s up to you to decide whether you want to crawl
alternative identities to see if you can match an acceptable one.
Once a user is authenticated customer’s web application server can “push” on the authenticated person profile a custom ID.
This can be done by POSTing to URI https://base/server:pushid/lpublic=public-token/ a JSON like this:
{ "lprivate":"server private key", "lauthsession":"auth-session-token", "jidentity":{ "lidentity":"your custom ID", "ltype":"Your custom type" } }
In order to associate an authenticated user to a custom identity, you could:
In case the verification doesn’t report a suitable ID you can desume from “authenticated” or “alt”, you can:
The response of second verification will include in “alt” array the custom identity, without a new authentication for the user.
When an authentication is in place only one digital identity per customer can be associated per each user.
This could be an issue only in case a user interacts using the same browser with multiple web applications of the same customer, and wants to use different identities at the same time.
If you want to be able to verify different digital identites per user and to keep them active for verification at the same time (e.g.: without forcing the user to re-authenticate), then you should register two different servers: two customers, each one with own lpublic/lprivate keys.
This is intentional: once a user is authenticated he/she’ll be able to keep the same digital identity with the same customer (and the same browser) regardless of the actual web application, making the single-sign-on process more effective.