OA Login¶
OpenApp Login introduces passwordless authentication for online stores.
It uses biometric authentication of mobile devices to ensure seamless user authentication without any manual inputs in the process.
Together with OA Checkout it allows for transformative shopping experience - without manually entering any data at any stage of the shopping process.
OA Login is designed for safety and full control of users over the process. Before the user logs in to the store for the first time, he is presented with the name of the store and needs to click OK to log in. This means that if some hacker messes with QR codes on a website, no data is sent to a differen website than the user intends.
Flow first login to the store¶
sequenceDiagram
autonumber
participant Merchant
participant User
participant OpenApp app
participant OA API
activate User
User->>+Merchant: login
Merchant ->>-User: show OA Widget
User->>+OpenApp app: scan QR or tap Widget
OpenApp app->>+OA API: retrieve merchant info
OA API->>-OpenApp app: merchant info
OpenApp app->>-User: show merchant info
User->>+OpenApp app: OK
OpenApp app->>-User: show biometry prompt
User->>+OpenApp app: scan face / finger
OpenApp app->>+OA API: OK
OA API->>+Merchant: user data
Merchant->>OA API: OK
OA API->>-OpenApp app: OK
OpenApp app->>User: OK
OpenApp app->>OpenApp app: close
deactivate OpenApp app
Merchant->>User: Welcome...
deactivate UserFlow next time¶
Once a user has approved a merchant for using OA Login, the user does not have to click OK on next visits anymore, just a biometry check is enough.
sequenceDiagram
autonumber
participant Merchant
participant User
participant OpenApp app
participant OA API
activate User
User->>+Merchant: login
Merchant ->>-User: show OA Widget
User->>+OpenApp app: scan QR or tap Widget
OpenApp app->>+OA API: retrieve merchant info
OA API->>-OpenApp app: merchant info
OpenApp app->>-User: show biomery prompt
User->>+OpenApp app: scan face/finger
OpenApp app->>+OA API: OK
OA API->>+Merchant: user data
Merchant->>OA API: OK
OA API->>-OpenApp app: OK
OpenApp app->>User: OK
OpenApp app->>OpenApp app: close
deactivate OpenApp app
Merchant->>User: Welcome...
deactivate UserData to send to merchant¶
Always just the anonymous email address.
Email address is generated uniquely for the user and the specific merchant. The email is the same with every user login/purchase with the merchant, which allows for orders tracking as with a traditional user account.
Session security¶
Protection against multiple users scanning the same QR code is on the merchant side: OA strongly recommends that the merchant should only allow OA Login to work to switch an "unauthenticated session" to an "authenticated session". It is up to the merchant to make sure a rescan of the same QR code can not switch an authenticated session to a new identity (session stealing). An authenticated session should not show the OA Login Widget at all.
Request¶
Once the customer has confirmed he wants to send his identity to the merchant, OA will send the identity of the user and the token that allows the connecting the identity to an active session. This is a HTTP POST request from the OpenApp server to the endpoint configured in the control panel, with the identity and the token in the message body:
So if you configured the value https://shop.example.com/api/openapp/identity and used the token value 56465affa646as4fa6f64fd5a, the request executed by OpenApp will be:
{
"description": "The identity of the user",
"additionalProperties": false,
"type": "object",
"properties": {
"email": {
"description": "The unique email address of the user.",
"type": "string",
"title": "email"
},
"token": {
"description": "The session token.",
"type": "string",
"title": "token"
}
},
"required": [
"email",
"token"
],
"$schema": "http://json-schema.org/draft-07/schema#"
}
Response¶
In reponse, the website should send an HTTP response with a 200 status code. Any body will be ignored.