- Installed Hermod, see here.
Send provisioning request, see code example.
The user can then enter the URL or scan the QR code (the URL is rendered as a QR code according to standard) in the mobile app. The profile info will be displayed and the user can accept to activate the profile:
When the user has accepted to activate the profile, then a response will be sent to the Application Server in a callback.
Validate the response and check the following:
- That the signature of the complete payload and that a trusted attestation key is used.
- Proof of possession, by checking the signature of each generated key.
- Store the public key to be able to verify future authentications.
Where the generated profile and its keys are included in the data field and where data is a compact JSON Web Signature (JWS) base64url(header).base64url(payload).base64url(signature).
The keys are included in the signed keys field. The JSON Web Key (JWK) is signed by itself for proof of possession.