¶ Push Authentication
Push Authentication enables users to use XignIn as a 2nd factor
Xign.Me supports two different types of Push Authentication:
- self implemented version (see below), which needs a Push Authorization token defined by an admin of the
Xign.Me. This token is required as authentication against the push endpoint. - The OpenId CIBA version which is documented here: OpenId CIBA.
Xign.Mesupports the POLL and PING type.
¶ Basic Flow
¶ Protocol Steps
¶ 1. Request Authentication
Authentication for a sepcific user can be requested via registered e-mail address or via subject identifier
POST /api/push/authenticate
Authentication: Bearer fsdf.fdsfds.fsdf (JWT)
{
type: EMAIL | SUB,
identifier: test@xignsys.com | jfkdhsjfksdhjk=
clientId: <Client Id to Auth>
}
- Authentication the preshared authentication JWT for the push enpoint. This JWT will be generated via an
Xign.Meadmin. - ClientId the client to authenticate against.
- identifier email address of the user to authenticate.
- type EMAIL or SUB, will be used from the
Xign.Meserver to identify the user
The server will return all session information needed to retrieve the authentication result
{
loginSessionId: abcdefghijklmno
token: pqrstuvwxyz
}
- loginSessionId the identifier for the current session
- token valid for the session
¶ 2. Receive Authentication Result
The authentication result can be retrieved by sending the following request to the status endpoint:
POST /api/push/authenticate/status
Authentication: Bearer fsdf.fdsfds.fsdf (JWT)
{
"loginSessionId": <loginSessionId>,
"token": <token>
}
The endpoint conveys information about the authentication session via HTTP response codes:
- 200 the authentication was successful
- 201 authentication is still in progress (pending)
- 401 the client credentials are invalid
- 403 the client credentials are not associated with the correct permissions
- 404 the authentication session represented by loginSessionId and token are not valid
- 410 authentication was aborted by the user