Waiting for engine...
Skip to main content

Security token

The API links calling the download tool can be protected from being manually copied and used by a different user under the existing SessionID.

Token based security is used to protect a call to download tool. Token is encrypted by an application calling MFT FS API using a secret key shared with MFT FS.

The token it passed to the MFT FS server and is decrypted using the shared key.

Security token structure for download tool is represented in JSON with following fields:

{ 
"Version",  
"FilePublicID",
"Email",  
"AllowedIP",  
"TimeStamp"  
}

Where the parameters are:

  • Version: Version of token object. Supported values are 1, 1.1e, 1.1o, and 1.1r.

    • 1, 1.1e: Represents an external ID. The tokenized JSON contains an app-based encrypted folder or file ID (default).

    • 1.1o: Represents an open ID. The tokenized JSON contains an unencrypted folder or file ID.

    • 1.1r: Represents a REST-encrypted ID. The tokenized JSON contains a REST-based encrypted folder or file ID.

  • FilePublicID:

    • For version 1, 1.1e: Download ID of the file AccessID returned by the call RetrieveUploadInfo().

    • For version 1.1o: File ID returned by SOAP API.

    • For version 1.1r: File ID returned by REST API.

  • Email: Email of a user to record in audit records with operation. Could be different from a user account which opened a MFT FS server.

  • AllowedIP: IP address allowed to perform the download, will be checked by MFT FS server. If the IP address of connecting browser does not match AllowedIP, operation is blocked.

  • TimeStamp: Time of token creation, used for token validation to protect against token replay. MFT FS server checks that token is not beyond expiration time interval defined in MFT FS server.

note

Date must be in the format MM/DD/YYY H:MM PM.

Sample Token 1 (Version 1 and 1.1e):

{
  "Version": "1",
  "FilePublicID": "0F540NC8ZAMQO",
  "Email": "external-download-test@thru.com",
  "AllowedIP": "64.95.64.190",
  "TimeStamp": "10/04/2013 11:05:11"
}

Sample Token 2 (Version 1.1r):

{
  "Version": "1.1r",
  "FilePublicID": "1JUD31S8UCZ7S",
  "Email": "external-download-test@thru.com",
  "AllowedIP": "64.95.64.190",
  "TimeStamp": "10/04/2013 11:05:11"
}

Sample Token 3 (Version 1.1o):

{
  "Version": "1.1o",
  "FilePublicID": "234",
  "Email": "external-download-test@thru.com",
  "AllowedIP": "64.95.64.190",
  "TimeStamp": "10/04/2013 11:05:11"
}

The following methods and options should be used by calling application to encrypt the token:

  • Encryption algorithm: Advanced Encryption Standard (AES-256) symmetric algorithm.
  • Encryptor specified key: Shared key in base64string format
  • Initialization vector (IV): Shared key in base64string format

Security token for URL should use base64string format.

Sample of token encryption parameters:

  • Encryptor specified key: AFA3wdfEuCrdFw8QaHFzN6LRXaBoCTHxcWnqNImp7g3=
  • Initialization vector (IV): JHnmhMkTjkl8fHqYx/l7bA==
  • Encrypted token in base64string format: jGldNNh7rMjT/fLL27vyQDPXUl/UjBKKfgrzLAxmopIxotP/T20Mz5J180jhG3Soqkz8bB1AV6rz3NMcyYtmm3mdo+CLeD0FDfgJZ6cw1Iqs9V+R79KsJ1mzfUKGrgQmrOq1NlosLcBtzmoVLK4+Cqkt+bkNBdYoYw8DITFkHd/VsEHCnk5pjPd89mDATyjTu4xMCXFVH20lP7tTOU75k61LLSj3×6bHzCuorK cUzp7nuvxve0se9cOdFQ3TA6XH78IMGmdoOz9JgDPIThjeO==