token
with an expire
value or reuse an existing one.token
, expire
and key
values locally.auth_ack_data
) that it will send to the APPauth_ack_data
is:token
: session token (we recommend using a UUID)expire
: UNIX timestamp when the token will expirechallenge
: optional if the APP provided a challenge_data
object with its auth_req_data
, the PKSA must return a challenge_ack_data
object (see Challenge approval ).auth_ack_data
object using the encryption key previously shared with the APP (auth_key
).uuid
: the request identifierdata
: auth_ack_data
encrypted with the auth_key
and converted to Base64The encryption ofauth_ack_data
is performed to ensure that a malicious actor operating a HAS cannot bypass the PKSA to approve an authentication request.It will also make the HAS unaware of what's going on between the app and the PKSA and unable to tamper with the authentication request process.Being the only one being able to decrypt theauth_ack.challenge
using its encryptionkey
, the APP has 100% certainty that the encryption process was made by a PKSA which got the encryptionkey
from reading the off-bandauth_req_payload
.