Glance Presence Service Security
The Presence Service allows an authorized agent to invoke JavaScript functionality in a visitor browser. This document outlines the security considerations associated with the Presence Service.
When an agent issues a request to the Glance Presence Service, the service verifies the identity of the agent, and ensures that particular agent is authorized to carry out the requested operation. This verification is accomplished by means of an Authorization Token.
Authorization Token
All agent side requests to the Presence Service carry an Authorization Token which can be obtained from the Glance Web Service. Glance uses the JSON Web Token (JWT) standard for creating, signing, and verifying authorization tokens.
Obtaining the Token
For an Agent to obtain an authorization token for Presence:
-
The Agent passes credentials to the Glance Authorization Service to prove their identity.
-
The Glance Authorization Service verifies the agent’s credentials and determines whether the Agent is authorized to access the Presence service.
The Glance Authorization Service is accessible via:
- Soap 1.2 (wsdl)
- JSON REST (REST help page)
- XML REST
Authentication
The Glance Authorization service accepts as credentials any of the following:
- Glance username and password
- Partner ID, partner user ID, and login key
- Glance username and login key
- Glance website session id
In addition to credentials, the agent must specify a Glance group id. An individual user may be a member of multiple groups, but at any given time the user authenticates in a particular group. If an agent needs to carry out operations in multiple groups, he must obtain multiple authorization tokens.
Authorization
Agents must have a current subscription which includes the Presence feature in order to be granted access to Presence services.
Token Duration
The agent specifies a duration for the token. Tokens may be issued for up to two hours duration. Obtaining a token is resource intensive. Therefore the agent console should obtain a token and reuse it until it expires or the agent logs out, rather than obtaining a new token for every operation.
Token Storage and Usage
The authorization token may be obtained server side using the SOAP or REST API. It may be stored server side, for example in session state, and used in subsequent server side requests to the Presence service.
Alternatively, a token obtained server side may be used client side by the Presence JavaScript API. The token may be embedded in the page in a data-authtoken attribute of the cobrowse script or meta tag, or it may be passed into the JavaScript API using GLANCE.Authorization.setToken().
Finally, a token may be obtained client side by passing credentials into GLANCE.Authorization.authorize().
When setToken() or authorize() is used, the authorization token is stored in local storage to allow reuse. All calls to the GLANCE.Presence API will automatically use the stored token, as long as those calls are made from secure pages on the same fully qualified domain.
See the Glance Authorization API documentation for more information.
Presence Service Request Validation
Validating Authorization Token
The Presence Service validates the authorization token presented:
-
In the Authorization header, for REST requests.
-
In the first message on a websocket connection.
The Presence Service verifies the token signature, that it is not expired, and that the groupid in the token matches the groupid in the request. There are no restrictions on which visitors in the group the agent can interact with.
Origin Check and CORS
Requests to the Presence Service from secure browsers will include an Origin header. The Presence Service will reject requests with a non-whitelisted Origin domain. If and only if the request Origin is on the whitelist, the Presence Service will respond with the Access-Control-Allow-Origin header set to the Origin domain.
Shared Secret
JSON Web Tokens require a shared secret between the token issuer and the consumer. The Presence service generates a new shared secret every two hours and passes it to the Glance Authorization service via an https request to an internal endpoint in the Glance VPN.
Visitor Authentication
Website visitors are identified by a unique visitor id, which may be anything unique to the visitor such as a user id, phone number, or email address, which could either be relayed to a customer service agent over the phone, or is included in a customer record that can be retrieved using some information that is relayed over the phone. When the visitor id is not secret or is static, a customer service agent may want some way to guarantee that the visitor browser receiving any presence requests is truly operated by the individual on the phone. One way to do this would be for the agent console to trigger a confirmation message to appear on the visitor side. The visitor must select the correct button on the confirmation message (as directed by the agent over the phone) before subsequent presence requests can be sent.
It is still the responsibility of the agent to verify the identity of the caller.