Public specifications, samples and documentation on Appson's identity services.
Note:
- Current live version is v0.11.2
Quick Links:
- API documentation
- Web SDK
- Dotnet SDK
- Anroid SDK is being deployed on JCenter (check back soon)
- iOS SDK is being deployed on Cocoapods (check back soon)
If you'd like to use this product in your applications, contact bahar [a t s i g n ] fanap [d o t ] plus to get help on how to request an ApplicationID and use it in your applications.
- What is AppsOn Identity?
- How can I use AppsOn Identity in my application?
- What is Application Id?
- How should I use the Application Id?
- How can I authenticate a user using phone number?
- How would I know that the JWT token is sent by you?
- How can I verify the JWT token with public key?
- What is inside the token?
- How can I see inside the token?
AppsOn Identity is an integrated authentication solution consisting of a series of APIs and SDKs to help application developers provide safe and secure authentication to their end users.
You can use AppsOn Identity in two ways.
You can use AppsOn Identity by directly calling API methods refer to the documentation for more info.
Currently Web SDK and Android SDK are implemented. You can easily use AppsOn Identity in your Web and Android applications using these sdks. For more info, click on current version's folder in this github repository above and located the SDK's folder.
Application Id or App Id is a piece of string that we issue upon your request to uniquely identify you when calling API methods.
You must send us your Application Id with all API method calls. First of all, request an Application Id by sending an email to us if you don't have an AppId yet.
If you call the API methods directly and without using Web SDK or Android SDK then you have to send us the Application Id in your HTTP request's header. Header name is Appson-Identity-App-Id
If you are using Web SDK, the only thing you have to do is to append your AppID at the end of JS file location.:
<script src="https://accounts.appson.ir/libs/js/authentication/v/1?appId=MY_APP_ID">Replace your App ID with MY_APP_ID
To use Android SDK, define AppID in your manifest file with the name Appson-Identity-App-Id
You can authenticate a user using his/her cellphone number (or any phone number supporting carrier SMS') in two ways.
Go to the WEB SDK/bin folder and import the JS file in your webpage. After calling login() method and registering your callback function within the js file (see example in sample folder), you'll receive a JWT token upon a successful authentication.
First, you need to call the /authentication/phonenumber/start method (refer to Start Authentication Using Phone Number method in API Specifications) and pass the user's phone number. Then prompt user for the verification code that is sent to his/her phone number.
After the user has entered the verification code, pass it to the /authentication/phonenumber/commit along with the user's phone number and/or the verification ID (refer to the documentation for more info about verification ID. If the user has entered the verification code correctly, you'll get a JWT Token.
We have sent you a public key with your Application Id. We use the private key to sign the JWT token for you. Your private key is stored in a safe and secure place. Hence, if you could verify the JWT token with your public key, you can be sure that the token is sent by us.
The public key that you receive from us is in XML format:
<RSAKeyValue>
<Modulus>zwmorLy...Mz4Q==</Modulus><
Exponent>A..B</Exponent>
</RSAKeyValue>Keep in mind that in some platforms, you have to convert this to PEM format before validating the token. Refer to utilities introduced in https://jwt.io for your platform.
Here is a sample C# snippet to verify the token with the public key:
try {
//Replace with your public key in xml format (received from AppsOn Identity)
var publicKey = "XML_PUBLIC_KEY";
//Replace with user's token
var token = "USER_TOKEN";
var key = new RSACryptoServiceProvider();
key.FromXmlString(publicKey);
//Replace YOUR_APP_ID with your application ID
var validationParameters = new TokenValidationParameters {
IssuerSigningKey = new RsaSecurityKey(key),
ValidAudience = "YOUR_APP_ID",
ValidIssuer = "http://s1identity"
};
var tokenHandler = new JwtSecurityTokenHandler();
if (tokenHandler.CanReadToken(token)) {
SecurityToken validatedToken;
//Throws exception if token is not valid
var result = tokenHandler.ValidateToken(token, validationParameters, out validatedToken);
//token is valid here
} else {
//could not read token
}
} catch (Exception e) {
//token invalid
}If you want to know about the internals of a JWT token, refer to https://jwt.io . By the way, we store the following information inside the JWT token:
- sub: user's accountID in our system.
- strength: The strength of the authentication method. By now, there are three authentication types: weak (for authentication with phone), trivial (for authentication using SIM information) and fair (for email/password authentication)
- factors: The factors that we have used to authenticate the user (e.g. sms)
- iss: our server's addres
- aud: your application Id.
- exp: expiration date of the token.
- nbf: Token is not valid before this date.
Ehm... This is a long story. But fortunately someone has already told the story here: https://jwt.io/#libraries-io