This topic contains 11 replies, has 2 voices, and was last updated by  Orin 11 months, 3 weeks ago.

  • Author
    Posts
  • Participant
    Orin
    Member
    Member since: 18.01.2017
    Number of posts: 16

    Hi

    I noticed there is a method in iOS mobile sdk, allows to sign with session token.
    I am wondering if it is possible to use our server API to get that session token from eSignLive server and pass it down to mobile apps?
    I know this sounds weird b/c we should have one session token per session (between one mobile device and eSignLive server)

    The reason we are considering this manner is : we worry about not quite secured if we use email and password to login to eSignLive directly.

    Any advice? Thanks a lot

    Keymaster
    Haris
    Jedi Master
    Member since: 05.11.2015
    Number of posts: 1450

    Score

    0

    Hi Orin,

    As per our mobile dev team, the mobile sdk doesn’t provide the signer session token.


    Haris Haidary
    OneSpan Technical Consultant
    Participant
    Orin
    Member
    Member since: 18.01.2017
    Number of posts: 16

    Score

    0

    Hi, Haris

    Thanks for the update, would you mind help answer what does the method “loginWithSessionToken” do?
    Thanks a lot.

    Keymaster
    Haris
    Jedi Master
    Member since: 05.11.2015
    Number of posts: 1450

    Score

    0

    The “loginWithSessionToken” call logs you into the SDK with eSignLive session token – this is useful for applications using external SSO login or any other way of authentication.


    Haris Haidary
    OneSpan Technical Consultant
    Participant
    Orin
    Member
    Member since: 18.01.2017
    Number of posts: 16

    Score

    0

    Hi, Haris

    I am wondering if it is possible to use our server API to start signing with eSignLive and get a session token, and then pass it down to mobile apps to use as login?
    Thanks.

    Keymaster
    Haris
    Jedi Master
    Member since: 05.11.2015
    Number of posts: 1450

    Score

    0

    You can get the session token with the API key and use it to login. Our recommendation is not to use the API key from the application, because of security reasons. If someone sniff the traffic, and get his API key, they can do anything with the account. The API key should be used from the server. If you obtain the session token from the server, and provide the token to the application, that would be much more secure.


    Haris Haidary
    OneSpan Technical Consultant
    Participant
    Orin
    Member
    Member since: 18.01.2017
    Number of posts: 16

    Score

    0

    Thanks, Haris

    We plan to use API key only from our server to esl server and pass down the session token to mobile device.
    That’s why we try to avoid loginwithemail at first place, for security consideration.

    Participant
    Orin
    Member
    Member since: 18.01.2017
    Number of posts: 16

    Score

    0

    Hi, Haris

    I am back again on this topic after a almost a year.

    I tried to login with session token using the latest iOS SDK (3.5)
    It returns 401 like this:
    error on the server: {
    code = 401;
    message = “Failed to retrieve Session”;
    messageKey = “error.unauthorised.noSession”;
    name = Unauthorized;
    }

    With a valid session token, https://sandbox.esignlive.com/api/session/apiKey?ESIGNLIVE_SESSION_ID=xxxxxx
    which works within browser.

    In fact, this method returns 401 no matter what session token I feed in.
    I am using iOS simulator.

    Would you mind help?
    Thanks a lot

    Keymaster
    Haris
    Jedi Master
    Member since: 05.11.2015
    Number of posts: 1450

    Score

    0

    Hi Orin,

    a 401 error means you’re session token is invalid. The reason why pasting “https://sandbox.esignlive.com/api/session/apiKey?ESIGNLIVE_SESSION_ID=xxxxxx” works is because most probably you are already authenticated. If you try to enter “https://sandbox.esignlive.com/api/session/apiKey?ESIGNLIVE_SESSION_ID=12345abc”, you will still be returned an api key because you’re authenticated. Let me ask you this, how are you generating this session token?


    Haris Haidary
    OneSpan Technical Consultant
    Participant
    Orin
    Member
    Member since: 18.01.2017
    Number of posts: 16

    Score

    0

    That sounds possible.

    Our web team got sessiontoken by apikey and then send to me manually.
    We are testing this loginWithSessionToken function.

    Any idea what we might not doing right?
    Thanks

    Keymaster
    Haris
    Jedi Master
    Member since: 05.11.2015
    Number of posts: 1450
    Approved answer

    Score

    0

    You are probably getting an invalid session token. With the API key, you can do the following call to get a session token:

    POST https://sandbox.esignlive.com/api/sessions

    You will get something like as a response:

    {
        "sessionToken": "79cadbffaf5f4240da42fc2a62b882feb01b6c917005c627"
    }

    Then you can use that to login with the iOS SDK. Let me know if this works.


    Haris Haidary
    OneSpan Technical Consultant
    Participant
    Orin
    Member
    Member since: 18.01.2017
    Number of posts: 16

    Score

    0

    Thanks for the reply. Haris
    Login with session token works now.
    Thanks a lot

You must be logged in to reply to this topic.