A temporary token is a way for a platform to grant timed access to one of its functions. Consider it a security measure.
While a static token may be more convenient as the string never changes, its convenience gives way to insecurity. By forcing users and processes to generate an expiring temporary token in order to gain access, platform functions remain more secure than if placed behind a simple static token.
As far as ALP SaaS is concerned, our platform offers two temporary token types to make WS calls more secure. The token produced with GenerateTemporaryToken can be used with all WS calls. The token produced with GenerateMemberTemporaryToken can only be used for member-related WS calls, and it is perfect for use in a mobile application.
How does ALP SaaS use these temporary tokens?
Once created, ALP SaaS treats the standard Temporary Token the same way it treats a static token. It relies on the WS call sender to provide an authentication code at the time of Temporary Token generation. From there, the Temporary Token behaves just like a static token until its expiration time expires.
The same is true for the Member Temporary Token; however, an authentication code is not required and the access for the token is restricted to member-related functions only.
Setting up a temporary token starts in ALP SaaS
Once the Authenticator application is downloaded and installed on the user’s mobile device, proceed to ALP SaaS with appropriate WS Security Token creation permissions.
In real-word applications, Google offers significant documentation for using custom APIs to generate Google Authenticator codes at https://developers.google.com/identity/.
Navigate to Web > Services > WS Security Tokens
- Click “Add WS Security Token”
- Enter the WS Security Token Name
- Enter the Vendor
- Select “Template Token”
This step will generate a QR Code, Manual Setup Code and Seed. The Manual Setup Code and Seed would be used in order to code WS calls through temporary tokens. We will use the QR code in this process in a few steps.
- Make note of the WS Security Token
- In the WS Methods Security Settings, select the first check box in each of the WS methods you intend to use with this Temporary Token
For our test, be sure to select at least FetchMemberCore.
- Save the WS Security Token
- From the WS Security Tokens dashboard (Web > Services > WS Security Tokens), click Edit to access the WS Security Token we just created
- Open Google Authenticator on your mobile device
- Tap the plus symbol in the application
- Tap “Scan a barcode”
- Scan the QR code displayed in ALP SaaS
A six-digit code and the name of the WS Security Token will display in the Google Authenticator application. This six-digit code changes constantly and will be used to generate a temporary token in ALP SaaS.
Generating a temporary token in ALP SaaS
Once the temporary token WS is set up in the application, actually creating the token through a WS is simple. The proper WS method is documented in the ALP SaaS Wiki page for GenerateTemporaryToken.
Creating the temporary token requires three parameters, two of which were set up in the previous section of this documentation.
WS Security Token: Use the alphanumeric string generated and noted in step 5 in the section above.
Authenticator Code: Use the constantly changing six-digit code displayed in Google Authenticator.
Life of Token (in Minutes): Configure the token to expire in a specific amount of time. The maximum is 60 minutes.
Using these parameters, issue the WS call just like you would any other in the application. Make note of the temporary token produced by the WS call and use that for the WS Security Token in the basic FetchMemberCore method documented on the ALP SaaS Wiki.
Once this process is performed successfully, navigate to the WS Security Token we created in the second section and delete it from your ALP SaaS Instance.