Authentications request
After reading the auth_req_payload and registering an account with the HAS, the PKSA will start to receive registered account authentication request with the message:
auth_req
account: the Hive account name that an application wants to authenticate
data: the Base64 representation of an encryptedauth_req_dataobjectuuid: the request identifierexpire: UNIX time when the request will expire
The structure of the auth_req_data is:
auth_req_data
app: an object describing the applicationname: short name of the app (ex: "peakd")description: (optional) description of the app (ex: "Peakd for Hive")icon: (optional) URL to retrieve the application icon (ex:"https://peakd.com/logo.png")
challenge: (optional) achallenge_dataobject that the app can pass to the PKSA for signing (see Challenge request).token: (optional) a valid session token previously received from the PKSA - Depecrated since protocol v1
The PKSA must decrypt the auth_req_data object using the encryption key previously shared with the PKSA (auth_key). By encrypting the auth_req_data object, the HAS will be unaware of what's going on between the app and the PKSA and unable to tamper with the authentication request process.
The PKSA should verify that the uuid found in the auth_req message matches the one from the auth_req_payload and ignore any message with a mismatching uuid
A PKSA which doesn't manage an account:
will not be able to register that account to the HAS and therefore will not receive the related auth_req requests
should ignore and not reply to an auth_req request it can't process with an 'auth_err' (edge case where it registered the account but removed it from its managed accounts before getting the
auth_reqmessage)
Last updated