IFRAME Signed Data
Iframe Signed Data
Introduction
This document discusses iframe page authentication information and the signature you use to verify that information is
coming from DatingVip.
Information Sent to your Application
DatingVip passes information about the user when they interact with your application.
Depending on the type of application you are using, the information can come from
different sources:
In an iFrame application, information is sent trought GET query parameters
- oauth_token - IF user authorized application, this is authorized access token passed to iframe application
- oauth_authorize_url - Custom OAuth authorize url which is sent to iframe application, so all token should be authorized here instead on api endpoints
- site_url - Website URL on which is iframe application running, this URL could be user for profile base urls and other things
- site_theme_css - Relative path to site theme css file e.g. site_theme_css=black_blackbg/black_blackbg.css
- sig - Your application's DatingVip signature. In order to verify a DatingVip request to your iframe page, you need to remove sig_ from the rest of the keys before hashing them to verify against the signature contained in sig.
- sig_added - If set to true, then the user has authorized your application.
- sig_app_id - Your application id, also known as consumer_key
- sig_in_iframe - When true, indicates the application is an IFrame application; otherwise, it's not set.
- sig_user - User id information
- sig_user_updated_at - Timestamp of when user last time updated profile
- sig_api - Info which specifies which api you should use, it could be MS01 or A01 (this could be changed in near feature)
- sig_db_group - Site db group id, it could be MS01 or A01
- sig_site_niche - Site niche from website, its id of website tagged niche
Theming your iframe application
DatingVip websites have different themes, so if you want to your iframe look similar to website its running on you should use site theme stylesheet.
We have 2 cdn's, for stylesheets, javascripts etc ... Based on db group they are:
If datingvip website is using theme, i am sending additional param to iframe apps 'site_theme_css', for example:
site_theme_css=black_blackbg/black_blackbg.css
so full url of this css would be:
http://ifc.dvipcdn.com/(a1,m1)/themes/black_blackbg/black_blackbg.css
There is also a default.css which you could include in your iframe app, and url for that css is:
So if dating website have theme use site theme css, otherwise default.css from our cdn or your custom css, its up to you.
Verifying Information
When DatingVip sends you information about a user, you need to know that it is actually coming from DatingVip. If you
send a request to DatingVip and receive a response, then you know that it comes from DatingVip because you know who you
asked. If a request comes in unsolicited, however, you need to authenticate that the user information is actually coming
from DatingVip servers.
The key to verification is the application secret. There are only two parties that know the secret: your application and
DatingVip. Whenever DatingVip sends data to your server, it includes a signature that is generated using your application
secret. You can perform the same encoding and check the signature to make sure it matches. If the signatures match, then
you know the information came from DatingVip.
Generating Your Own Signature
To generate the signature for the information DatingVip sends you:
- Remove the "sig_" prefix from all of the parameter names (keys).
- Sort the values alphabetically by the keys.
- Concatenate all key/value pairs together in the format "k=v" (omitting the sig parameter, since that is what we are calculating).
- Append your consumer_secret
- Generate an MD5 hash of the whole string.
The following PHP code provides a quick example of verifying information sent to an iFrame application:
<?php /* typical use case: $string .= $secret and md5($string) == $_GET['sig'] */ $sig = array(); foreach($_GET as $key=>$value) { if(substr($key,0,4) == 'sig_') { $sig[substr($key,4)] = $value; } } ksort($sig); foreach($sig as $key=>$value) { $string .= $key . '=' . $value; } $string .= $consumer_secret; md5($string) == $_GET['sig']; // this will return true. ?>
- Last Author
- boris
- Last Edited
- Jun 15 2016, 15:42