When logging in with Access Key, ping SaaS & verify about client HOT 11 CLOSED

Rely on the SaaS response before logging in

@zackkatz on this, we're going to silently fail the auto log in if no response from SaaS then right?

from client.

@inztinkt Yep.

from client.

@zackkatz for the data we send to SaaS, if we send too much we could be seen as 'spying' on users.

I think we can get away with sending the $identifier string and $_SERVER array. Thoughts?

from client.

The only user it’s “spying” on is the support person. I don’t see this as a problem. @trustedlogin/core Shawn, I’d appreciate your thoughts.

from client.

Totally agree, but may get flagged by folks reviewing/checking plugin code that use TL CLient. So wanted to confirm.

from client.

from client.

I just remembered we are okay on that because the user sill have clicked a button to initiate access granting.

from client.

Makes sense to me. Just waiting on the endpoint at SaaS to send this to :)

from client.

@inztinkt

ENDPOINT: /accounts/{accountId}/login-request
AUTHENTICATION: Add the Public Key as the Bearer token

Requires an accessKey in the request body:

{
"accessKey": {{access_key}}
}

I thought about putting the access key in the URL itself, but worried about there being access keys that contain a space? Could break. So used request body instead.

Does that work for you?

//cc @zackkatz

from client.

@shawnhooper Should we have an /activity endpoint rather than a specific /login-request endpoint?

We could do something like:

{
"accessKey": {{access_key}},
"activity": "login-request" 
}

Does that make any sense? I'm not sure.

from client.

AccessKeyChecks::check_validity( $identifier ) pings <api>/verify-identifier with the following info in the body:

array(
	'identifier' => $identifier,
	'timestamp'  => time(),
	'user_agent' => $_SERVER['HTTP_USER_AGENT'],
	'user_ip' => $_SERVER['REMOTE_ADDR'],
);

@shawnhooper @zackkatz let me know if anything needs to be changed.

from client.