Authentication approval
If the user approves the authentication request with its PKSA, the latest will send an auth_ack message to the HAS with an access token and its expiration.
When the HAS will receive the user approval from its PKSA, it will forward it to the APP which will receive the following message
auth_ack
uuid: the request identifierdata:auth_ack_dataencrypted with theauth_keyand converted to Base64
The APP must validate the received uuid against the request ID (uuid) that it received from the HAS in the auth_wait message and ignore the auth_ack message if they don't match.
The APP must decrypt the auth_ack_data object using the encryption key previously shared with the PKSA (auth_key). If the APP cannot decrypt and parse auth_ack_data, the APP must ignore the auth_ack message.
This
auth_ack_dataencryption/decryption process has been put in place to ensure that a malicious actor operating a HAS cannot bypass the PKSA to approve an authentication request.As the encryption key has been provided off-line to the PKSA, it is unknown to the HAS, which therefore cannot decrypt, tamper then (re-)encrypt any data exchanged between the APP and the PKSA.
The structure of the auth_ack_data is:
auth_ack_data
expire: UNIX timestamp when the authentication will expirechallenge_data: optional - if the APP provided achallengeobject with theauth_reqsent to the PKSA, it contains achallenge_ack_dataobject (see Challenge approval).token: session token - Deprecated since protocol v1.0
The application should store the auth_key it used to authenticate. This auth_key can be used with each subsequent request. This saves the user from having to re-authenticate with that same PKSA until auth_key has expired.
It is up to the APP to reuse the auth_key for as long as it is valid or to shorten its life by reinitiating a new authentication process.
When the auth_key expires, any related transaction requests will be rejected.
Last updated