This topic contains 6 replies, has 2 voices, and was last updated by  mwilliams 5 days, 7 hours ago.

  • Author
    Posts
  • Participant
    saraizad
    Newbie
    Member since: 20.12.2018
    Number of posts: 13

    Hi,

    How the Callback Key is being passed when an event is raised? can you please provide a raw sample for the transaction including header tags?

    Would it be an oAuth? ‘Bearer [callback key]’ ?

    Thanks,
    Sara

    • This topic was modified 1 week, 2 days ago by  saraizad.
    Keymaster
    mwilliams
    Guru
    Member since: 21.08.2015
    Number of posts: 864

    Score

    0

    Hey Sara,

    The callback key is passed through the Authorization header as “Basic {callbackKey}”. You’d use this to make sure you’re receiving notifications that contain our shared secret, so you know you’re not getting spoof calls and can react accordingly. The body of each call may vary based on the notification event type.

    Hope this helps. Let us know if you need more! 🙂


    – Michael
    Partner and Developer Technologies Manager, OneSpan
    Facebook – https://www.facebook.com/michael.williams1120
    Twitter – https://twitter.com/mwilliams1120
    LinkedIn – https://www.linkedin.com/in/mwilliams1120
    Participant
    saraizad
    Newbie
    Member since: 20.12.2018
    Number of posts: 13

    Score

    0

    Thanks for the response, so there is no option for oAuth2.0 for the callback?

    Thanks

    Keymaster
    mwilliams
    Guru
    Member since: 21.08.2015
    Number of posts: 864

    Score

    0

    Not to my knowledge. I’ll check, tomorrow, with support, to make sure there isn’t some hidden back office configuration that I’m unaware of. Otherwise, your only option would be to encode/encrypt your username and password into some sort of key that you could decode/decrypt on your side to verify the request.


    – Michael
    Partner and Developer Technologies Manager, OneSpan
    Facebook – https://www.facebook.com/michael.williams1120
    Twitter – https://twitter.com/mwilliams1120
    LinkedIn – https://www.linkedin.com/in/mwilliams1120
    Keymaster
    mwilliams
    Guru
    Member since: 21.08.2015
    Number of posts: 864

    Score

    0

    Just wanted to let you know that I verified this to be correct. Callback keys are the only configuration available to secure this info. No personal or confidential information is passed through callbacks.

    Hope this helps. If you’d like to submit a request for different security options, you’ll have to email support at sign.support@onespan.com


    – Michael
    Partner and Developer Technologies Manager, OneSpan
    Facebook – https://www.facebook.com/michael.williams1120
    Twitter – https://twitter.com/mwilliams1120
    LinkedIn – https://www.linkedin.com/in/mwilliams1120
    Participant
    saraizad
    Newbie
    Member since: 20.12.2018
    Number of posts: 13

    Score

    0

    Thank you for checking on this. We are not looking to pass any personal info. Our platform requires at least oAuth 2.0 Authentication for rest APIs and we need to find a workaround as oneSpan is only supporting Basic Auth for Callbacks.

    Thanks
    –Sara

    Keymaster
    mwilliams
    Guru
    Member since: 21.08.2015
    Number of posts: 864

    Score

    0

    You could look at using a proxy or something to add the appropriate info or building a separate pass-through, listener application that can accept the callbacks and forward them to your application with the appropriate authentication. Those would be my initial workaround thoughts while waiting on any resolution from an enhancement request.


    – Michael
    Partner and Developer Technologies Manager, OneSpan
    Facebook – https://www.facebook.com/michael.williams1120
    Twitter – https://twitter.com/mwilliams1120
    LinkedIn – https://www.linkedin.com/in/mwilliams1120

You must be logged in to reply to this topic.