Changes in DIGIPASS Gateway 5

DIGIPASS Gateway 5 introduces a couple of breaking changes compared to earlier versions of DIGIPASS Gateway.

Architectural changes

  • Stateless gateway. Previous versions relied on an external PostgreSQL database to store some state information, such as transactions and transaction data.

    This database requirement has been removed. DIGIPASS Gateway no longer saves any state information whatsoever, but rather relies on the respective authentication server, e.g. OneSpan Authentication Server.

  • DIGIPASS Gateway services. Previous versions consisted of two web services providing two different interfaces: The so-called Administration interface and the DIGIPASS interface.

    These two interfaces have been consolidated to one.

    The Administration interface has been completely removed, since most of the administrative services have become obsolete, e.g. transaction management for Mobile Authenticator Studio. The remaining services have been merged with the DIGIPASS interface. The distinction between administrative and client services now only exists in context of required authentication.

  • API authentication. In previous versions some services were protected using basic HTTP authentication via one API key.

    In DIGIPASS Gateway 5, all services are protected using basic HTTP authentication via one of two API keys:

    • The front-end API key is required for services typically used by mobile applications, e.g. OneSpan Mobile Authenticator.
    • The back-end API key is required for services typically exposed to the solution's back-end side, e.g. the banking website.

Workflow changes

  • Out-of-band transaction data signing. This feature was implemented in previous versions of DIGIPASS Gateway and exposed to Mobile Authenticator Studio. It has been replaced by a new transaction data signing workflow integrating seamlessly with OneSpan Authentication Server, using push notifications.
  • Transaction management. It is no longer possible to manage transactions, such as listing pending transactions. When a transaction is initiated, the user receives a push notification. The mobile application retrieves the transaction details and the user can either accept or reject it right away.

Changes in the API

New or changed services

The following services are either new or updated versions of previous existing ones:

  • /rest/v2/authentication/authUser
  • /rest/v2/authentication/push/authUser
  • /rest/v2/authentication/push/cancelAuthUser
  • /rest/v2/authentication/push/getPreparedSecureChallenge
  • /rest/v2/notification/push/sendNotification
  • /rest/v2/notification/push/updateNotificationID
  • /rest/v2/provisioning/DSAPPActivate
  • /rest/v2/provisioning/DSAPPGenerateActivationData
  • /rest/v2/provisioning/DSAPPMdlAddDevice
  • /rest/v2/provisioning/DSAPPRegister
  • /rest/v2/provisioning/DSAPPSRPGenerateActivationData
  • /rest/v2/provisioning/DSAPPSRPGenerateEphemeralKey
  • /rest/v2/provisioning/getServerTime
  • /rest/v2/provisioning/MdlActivate
  • /rest/v2/provisioning/MdlAddDevice
  • /rest/v2/provisioning/MdlRegister
  • /rest/v2/signature/push/authSignature
  • /rest/v2/signature/push/cancelAuthSignatureRequest
  • /rest/v2/signature/push/getPreparedSignatureRequest

Deprecated services

Deprecated services are still available in the interface for backward-compatibility reasons and migration purposes only. However, newer versions of the same services or similar new services exist that should be used for new implementations.

The following services have been deprecated:

  • /activate
  • /addDevice
  • /bind
  • /instanceActivation
  • /licenseActivation
  • /postActivation
  • /register
  • /registerOffline
  • /registerOnline
  • /rest/activation/DSAPPSRPGenerateActivationData
  • /rest/activation/DSAPPSRPGenerateEphemeralKey
  • /rest/activation/MdlActivate
  • /rest/activation/MdlAddDevice
  • /rest/auth/online
  • /rest/notification/push/sendNotification
  • /rest/notification/push/updateNotificationID
  • /rest/push/cancelLogin
  • /rest/push/retrieveLogin
  • /rest/push/signLogin
  • /signature
  • /synchronize

Removed services

The following services have been removed:

  • /createSecureChannelTransaction
  • /createTransaction
  • /deleteNotif
  • /deleteTransaction
  • /getTransactionStatus
  • /listSecureChannelTransactions
  • /listTds
  • /manageTransaction
  • /notify
  • /registerNotif
  • /rejectTransaction
  • /testOffline
  • /validateSecureChannelTransaction
  • /validateTransaction