One security concern with setting up PushAuth is registering clients. Without the concept of trusted registration, anybody could register their device under a given user. Trusted registration is the process by which the app asserts that a new mobile SDK client registration for a particular user is authorized.
When our mobile SDKs initialize for the first time on a new device or newly installed application, one of the first tasks is to register a new client with our backend systems. This process establishes the existence of the new client by assigning a unique identifier and enables the client to begin interacting with our system.
The current method employed to accomplish trusted registration is via webhook. This registration process follows these steps:
- As part of the SDK initialization, the
challengeparameter passes a string value to be used in verification by the webhook endpoint.
- UnifyID backend receives the request to register a client and passes the payload along to the provided webhook target URL.
- Your webhook endpoint validates the basic auth header, user string, and challenge string to return an appropriate response.
- If the endpoint returns 200 as the status code, the registration request will be approved. Otherwise, it will be denied.
Setting up Trusted Registration
The values used in the trusted registration process can be configured on the UnifyID Developer Dashboard.
Add to Dashboard
Visit your project settings on the dashboard, paste the target url, and click “Add”:
The target URL must use the
Doing this will require trusted registration for your project. This also sets username and password strings for use in basic authentication for the webhook requests. The username value, “unifyid,” cannot be changed. The password is a random string and can be rotated in case it becomes compromised.
To edit the target url value, rotate the password, or disable trusted registration, click “Edit”:
If you choose to disable trusted registration, uncheck the box next to “Webhook Enabled” and click “Update”:
At any time you can choose to re-enable trusted registration by clicking “Edit” and ensuring the “Webhook Enabled” box is checked. The value previously set for the target url will still be populated, but you can update it if necessary.
Authorizing Client Registration
Once your project has trusted registration configured, you will need a method for verifying client registration requests. This decision involves the value used in the
You also need a webhook endpoint able to serve requests from our backend and provide verification logic of the username, password, user and challenge values.