WWPass is a third-party authentication provider, which can be used for reliable, secure and convenient multi-factor authentication on Websites and in mobile and desktop applications.
The most basic form of WWPass authentication works like the following:
- When your website needs to log in a user, it obtains a new authentication ticket from WWPass and displays it as a QR code;
- The user scans the QR code with WWPass Key App (or taps it on a mobile device screen) and follows the app instructions to log in;
- When the user completes logging in, WWPass notifies your website;
- In the described basic form, your website uses the authentication ticket to obtain the user identifier from WWPass.
The user identifier supplied by WWPass is called a PUID (Provider-Specific User Identifier). PUID is a unique string that you can use to recognize the user. PUID remains the same each time the same user logs in to your website. When the same user logs in to a different website, PUID received by that website is different. The latter helps to maintain the anonymity of users.
Authentication tickets and PUIDs are requested via the WWPass API. To access the API, you need to register your website at manage.wwpass.com.
This tutorial will help you add WWPass authentication to your website. It focuses on QR-code based authentication. Users of your website log in with WWPass Key App.
Before following this tutorial, make sure you have installed WWPass Key App. The application is freely available at [AppStore](https://itunes.apple.com/us/app/wwpass-WWPass Keylite/id984532938) and [Google Play](https://play.google.com/store/apps/details?id=com.wwpass.android.WWPass Key).
Skip this section if you already have an account on manage.wwpass.com.
Note: Creating an account on manage.wwpass.com requires you to provide a valid e-mail address. This e-mail address is used to restore access to your account if your WWPass Key is lost and cannot be recovered. It is also used to send important information about your account and websites.
Open manage.wwpass.com and click "Sign Up". Scan the QR code with the WWPass Key App to create an account. Provide your e-mail address when prompted and click Activate Account. Open your mailbox and find a message from WWPass. Click the verification link in the message to complete account activation.
Before you can add a website, WWPass must verify that you are the website owner. The verification process requires your website to have a publicly accessible domain name. This domain name is displayed to the users during authentication to your website.
Log in to manage.wwpass.com and click "Native Integrations" in the main menu. Click "Add new Application". Enter the domain name of your website and click "Add Domain".
Follow the instructions on the next page to create a new verification file. Make sure the file name and its content are the same as shown on the page. Upload the verification file to the root directory of your website. Make sure you can access the verification file with your browser.
Click "Validate" to start the verification process. Once your website is verified, you can issue a digital certificate needed to access the WWPass API.
Note: if your website does not have HTTPS, the verification process falls back to HTTP, which can be useful for development. However, you should consider deploying HTTPS to production websites.
WWPass uses digital certificates to authenticate requests to the API. You should issue at least one certificate for your website. If your website runs on multiple servers, it is best to use a separate certificate for each server.
Note: while this document focuses on OpenSSL for generating certificate requests, you are free to use any other similar tool of your choice.
At this phase of the website registration WWPass provides you with corresponding OpenSSL command, with proper parameters already substituted. Copy the command and execute it on your server. This is how the command to generate a new certificate request looks like:
Click "Attach certificate request" and select the certificate request file that you have just generated. This file has a ".req" extension.
Alternatively, you can click "Paste a request contents" and put the content of the certificate request file into the text field that appears.
Click "Submit" to send your certificate request. Once the request is processed, click "Download" and save your new digital certificate.
Store the certificate and key files in a secure location on your website server. These files should be accessible by the server-side code of your website. Make sure this location is outside of your site webroot.
Download the WWPass CA certificate and store it on your server together with your website certificate and key files. Now that you have successfully obtained a digital certificate, you can proceed with adding WWPass authentication to your website.
Whatever your server-side technology is, the browser-side code is the same: add an HTML element - QR code placeholder.
<div> is the best option, e.g.
For an npm-based project, install wwpass-frontend module:
Alternatively, download the compiled standalone script on Github.
Add the code itself:
Here, qrcode parameter is any valid CSS-selector of the QR code container element.
ticketURL is the link to the server-side API to obtain or renew WWPass ticket - see below.
The code above initializes WWPass login, requests authentication tickets using ticketURL and displays dynamic QR code based on the ticket data. Once the user has completed authentication in WWPass Key App, the wwpass-frontend sends the resulting data to the callbackURL via HTTP GET request.
For example, PHP website may look like
For more details, see documentation in Github.
Due to the wide variety of server-side languages and technologies, we shortly describe only the PHP library here. See WWPass Github for all the available libraries.
he WWPass PHP library is available in Composer repository.
Server-side code communicates with WWPass core network using digital certificates, obtained during the website registration.
Here is the getTicket a URL handler to obtain authentication tickets and encode to the format expected by wwpass-frontend.
getticket.php file is basically the same for all the websites.
On user authentication, wwpass-frontend script sends GET request to the callback URL, with authentication details in the request parameters. It is quite natural to process the request in the same login.php URL which generates login page.
On success, the session variable PUID is set, identifying the user, and control is passed to index.php URL. Otherwise, render the login page, e.g.
A PUID is a unique string that identifies the user. A particular way of using PUID depends on the architecture of your application. If your application already has a database that stores application users, add a new table that maps PUIDs to the existing user identifiers. See "How WWPass Authentication Works" below.
You can find a PHP demo application code on GitHub.