Overview

This chapter describes the Token Service. The Token Service is not a standard FIDO service but a proprietary nevisFIDO functionality. The Token Service is a public HTTP API that allows to generate a token for a given GetUAFRequest object. The FIDO client can use this token later on to trigger a FIDO UAF registration, authentication or deregistration through the initial GetUAFRequest.

The Token Service consists of six parts or endpoints: the Create Token part/endpoints (/nevisfido/token/registration, /nevisfido/token/authentication and /nevisfido/token/deregistration) and the Redeem Token part/endpoints (/nevisfido/redeemToken/registration, /nevisfido/redeemToken/authentication and /nevisfido/redeemToken/deregistration).

The following steps illustrate the functioning of the Token Service in the case of the authentication:

1. nevisAuth calls the Token Service by sending a GetUAFRequest object to the Create Authentication Token endpoint (/nevisfido/token/authentication).
2. The Token Service / nevisFIDO validates the request and creates a token. It sends the token back to nevisAuth as part of the HTTP response.
3. nevisAuth sends the token to a mobile phone (FIDO client) using a push service.
4. The mobile phone (FIDO client) returns the token to the Token Service / nevisFIDO by addressing the Redeem Authentication Token endpoint (/nevisfido/redeemToken/authentication).
5. The Token Service / nevisFIDO triggers the FIDO UAF authentication operation with the GetUAFRequest object provided in the first step.