Nexaas ID is the identity web passport for the Nexaas suite.

© 2018. All rights reserved.

Confirming the user’s password

A client application can require the identified user to confirm the password to allow proceeding a sensitive action.

In order for that, it must redirect the user to /applications/confirm_password with the current access token, the callback URL where the user must be redirected back on success, and optionally a check signature.

The access token can be supplied in the query string, under the key access_token, or as bearer authorization.

The callback URL must be supplied in the query string, under the key callback.

Signature

For security, you can supply an optional signature, a random string encrypted using XOR Cipher and presented as Base64. The salt must be the application secret.

It can be supplied in the query string, under the key signature, or in the header X-Signature.

For example, if the signature is Do it yourself! and the secret is DTKIM5NN, calculate the string:

'D' ⊕ 'D' = 44₁₆ ⊕ 44₁₆ = 00₁₆ = '\0'
'o' ⊕ 'T' = 6F₁₆ ⊕ 54₁₆ = 3B₁₆ = ';'
' ' ⊕ 'K' = 20₁₆ ⊕ 4B₁₆ = 6B₁₆ = 'k'
'i' ⊕ 'I' = 69₁₆ ⊕ 49₁₆ = 20₁₆ = ' '
't' ⊕ 'M' = 74₁₆ ⊕ 4D₁₆ = 39₁₆ = '9'
' ' ⊕ '5' = 20₁₆ ⊕ 35₁₆ = 15₁₆ = '\025'
'y' ⊕ 'N' = 79₁₆ ⊕ 4E₁₆ = 37₁₆ = '7'
'o' ⊕ 'N' = 6F₁₆ ⊕ 4E₁₆ = 21₁₆ = '!'
'u' ⊕ 'D' = 75₁₆ ⊕ 44₁₆ = 31₁₆ = '1'
'r' ⊕ 'T' = 72₁₆ ⊕ 54₁₆ = 26₁₆ = '&'
's' ⊕ 'K' = 73₁₆ ⊕ 4B₁₆ = 38₁₆ = '8'
'e' ⊕ 'I' = 65₁₆ ⊕ 49₁₆ = 2C₁₆ = ','
'l' ⊕ 'M' = 6C₁₆ ⊕ 4D₁₆ = 21₁₆ = '!'
'f' ⊕ '5' = 66₁₆ ⊕ 35₁₆ = 53₁₆ = 'S'
'!' ⊕ 'N' = 21₁₆ ⊕ 4E₁₆ = 6F₁₆ = 'o'

base64 "\0;k 9\0257!1&8,!So" = "ADtrIDkVNyExJjgsIVNv"

So, the sent value must be ADtrIDkVNyExJjgsIVNv.

Note:

  1. Concatenate the secret to itself until it’s the same size of the signature, and truncate the overplus.
  2. If the signature is smaller then the secret, truncate the secret to the signature size.

Response

When redirected, the browser will present a password confirmation form. If the user supplies the right password, it will be redirect back to the callback URL, with the following query string:

confirmed=true
&
signature=$DECRYPTED_SIGNATURE

The signature sent back is the decrypted one, so the client application can check whether the signatures matche.

In the previous example (ADtrIDkVNyExJjgsIVNv), the value sent back is Do it yourself!.

CAUTION!

Always check the confirm key for the value true!! And prefer to use the signature for security.