Push Notification Signature Authentication using MAS and OAS SDK

In an earlier posts we covered secure channel ransaction signing and push notification authentication with MAS. In this post we will combine these two to achieve secure channel transaction signing via push notifications.

Pre-requisites

Prior to starting, it is assumed you have successful gone through both of the previous posts as a large part of the configuration will be exactly the same so we will only build upon it in this post.

Configuring MAS for Push Transactions

In the push notification authentication with MAS post we introduced the Notifications section, here we will add a new SecureChannelAction to the NotificationsList body. The gatewayAPIKey attribute will remain the same for the Functional tag.

<!-- Secure channel Action with push and sign -->
<SecureChannelAction id="05">
	<SecureChannelDetails>
		<URL method="POST" contentType="json" value="https://{{server_url}}:{{port}}/rest/v2/signature/push/getPreparedSignatureRequest">
			<PayloadParameter key="serialNumber" value="%_SerialNumber_%-%_SequenceNumber_%"/>
			<PayloadParameter key="requestKey" value="%_Challenge_%"/>
		</URL>
	</SecureChannelDetails>

	<SecureChannelValidation>
		<URL method="POST" contentType="json" value="https://{{server_url}}:{{port}}/rest/v2/signature/push/authSignature">
			<PayloadParameter key="userID" value="%_UserIdentifier_%"/>
			<PayloadParameter key="domain" value="%_Domain_%"/>
			<PayloadParameter key="requestKey" value="%_Challenge_%"/>
			<PayloadParameter key="signature" value="%_OTP_%"/>
		</URL>
	</SecureChannelValidation>
	<SecureChannelRejection>
		<URL method="POST" contentType="json" value="https://{{server_url}}:{{port}}/rest/v2/signature/push/cancelAuthSignatureRequest">
			<PayloadParameter key="serialNumber" value="%_SerialNumber_%-%_SequenceNumber_%"/>
			<PayloadParameter key="requestKey" value="%_Challenge_%"/>
		</URL>
	</SecureChannelRejection>

	<View title="Transaction Request">
		<Labels>
			<Label id="ConfirmationMessage" value="\nDo you want to accept this transaction as %_UserIdentifier_%?" class="infoLabel"/>
			<Label id="DetailsWaitMessage" value="Fetching transaction request" />
			<Label id="RejectionWaitMessage" value="Rejecting transaction..." />
			<Label id="ValidationWaitMessage" value="Accepting transaction..." />
		</Labels>
		<Dynamics>
			<Dynamic id="Title" class="titleItem"/>
			<Dynamic id="Keys" class="keyItem"/>
			<Dynamic id="Values" class="valueItem"/>
			<Dynamic id="FreeText" class="freeTextItem"/>
		</Dynamics>
		<Buttons>
			<Button id="Accept" value="Ok!"/>
			<Button id="Deny" value="No!"/>
		</Buttons>
	</View>
</SecureChannelAction>

OAS SDK

As usual we will start off by creating a configuration bean, specifying our server location, client component name and creating a signature bean.

ConfigurationBean configurationBean = new ConfigurationBean();
configurationBean.setPrimarySoapURL("https://10.10.200.75:8888");
configurationBean.setSignatureSecureChannelComponent("SC-Sig");

SignatureBean signatureBean = new SignatureBean(configurationBean);

In the SignatureBean we find the following method which will send a push notification to our activated device:

public AuthSignatureRequestResponse authSignatureRequest(UserInput user, String serialNumber, PushSignatureRequest push)

The first parameter contains the user details:

UserInput userInput = new UserInput();
userInput.setUserID("user");
userInput.setDomain("master");

If we want to specify a specific device to send the push notification to we can do so here, otherwise if we specify null, all devices will receive the push notification.

The last parameter contains the transaction details:

SignatureFields signatureFields = new SignatureFields();
signatureFields.setTitle("Test transaction");

DataField nameDataField = new DataField();
nameDataField.setKey("Name");
nameDataField.setValue("Bob");

DataField ibanDataField = new DataField();
ibanDataField.setKey("Iban");
ibanDataField.setValue("AT12345678910");

DataField amountDataField = new DataField();
amountDataField.setKey("Amount");
amountDataField.setValue("50.00");

signatureFields.getDataField().add(nameDataField);
signatureFields.getDataField().add(ibanDataField);
signatureFields.getDataField().add(amountDataField);

PushSignatureRequest pushSignatureRequest = new PushSignatureRequest();
pushSignatureRequest.setSignatureFields(signatureFields);

Upon calling the server, if we do not immidietly receive a response for:

AuthSignatureRequestResponse authSignatureRequestResponse = signatureBean.authSignatureRequest(userInput, null, pushSignatureRequest);

We should have received a push notification:

The title and message you see here can be configured in the OAS policy.
Upon opening the notification we are able to validate the contents of the transaction. Upon clicking ok a signature based on this data will be generated and sent to the server for validation.

Conclusion

We managed to retrieve transaction data on our mobile devices via push notification and sign it. You can find the sample to trigger the auth signature workflow here.

Show Comments