VisionsTrust Documentation
What is VisionsTrust ?
VisionsTrust allows people to easily give consents to grant access to their data for specific purposes. This implements the MyData Architecture. People, through their MyData Operator, can manage their data in different services. VisionsTrust is a certified MyData Operator.
This allows for a human-centric infrastructure for personal data where people freely manage their data without depending on one single organization. This document describes the VisionsTrust Operator and how services interact with it.
This infrastructure applies the 'separation of powers' principle: the operator does not store data and does not provide services on the data other than making sure the person’s permissions are respected; the services exchanging data do not handle people’s permissions on their data. This empowers the individual with their data: they can manage it independently from the services that use their data.
If it's your first time here, we've planned a guide for you to follow along and make sure you don't miss any steps during the configuration of your service.
To come back here at any point when on your VisionsTrust dashboard, simply navigate to the Documentation tab in the menu.
Quickstart Guide
Welcome to the VisionsTrust quickstart and implementation guide. You have already done a couple things here, let's recap.
Organization Categorization
Upon creation of your VisionsTrust account, you were prompted to categorize your organization. This will list your organization with other organizations of the same category within the catalog and will help both organizations and users find you.
General Organization Information
You then entered a general description for your organization. This is public information which allows other organizations and end-users to know what your organizations does.
More information on your organization will be required later on in this guide, and you'll find a dedicated web page for exactly that.
Service declaration and information
By categorizing your services and describing them, you give the opportunity to other organizations to know what kind of service you offer, and we can make a better job at listing your service amongst services of the same type
The information on your services can be accessed and modified at any time on your dashboard later on.
Data interest and declaration
You then informed us of data you are interested in and data you are able to share.
By letting us know what type of data you are interested in, we will be able to show you services and organizations that are able to share this kind of data.
By declaring data from your organization, you allow organizations to make a request on the access of your data. You will then need to accept this request, which we'll cover in a moment
Web application configuration
Now that we've recapped what you did until now, let's see how we can finish configuring your service on the app before moving on to the necessary code to implement to communicate with our API to enable data exchanges.
To be able to come back to wherever you paused your configuration, each step will show you a button to let us know when you're done with that particular task. This allows us to get you back to where you stopped directly and also know where organizations start having issues so we can improve our guides.
You can follow your progress on the top-left of this page.
General Information
Now that you're done with the initial steps, assuming you are logged in to your VisionsTrust account, navigate to the governance information page.
On this page, you will need to give us some additionnal information about your organization.
What is this used for ?
When agreeing to a data exchange configuration with another organization, a contract is generated. The information that you enter on this page are the ones that will appear on the data sharing contract generated.
Declaring conditions on your data
Now that your data has been declared, you are able to create custom conditions and terms of use on your datasets.
Your declared terms of used are found under Gouvernance > Conditions d'utilisation.
From here simply fill out the form for the conditions to be generated.
In the following section you will be able to declare a dataset based on your declared data and associate these conditions and terms of use to it.
Declaring Datasets
Based on the data you declared earlier, you can create datasets with one or more of your declared data for them to be associated with the terms of use you generated before.
Your declared datasets are found under Gouvernance > Datasets.
Follow the instructions on this page to generate a dataset and associate one of your declared terms of use to it.
When another organization requests data in your dataset, the contract will show these conditions for the other party to accept.
Authorizing another organization to access your data
To start exchanging data with other organization, there's a couple things to do. The initial step is to authorize globally another service to access your data. To do that, go to the exchanges page and explore the available services until you find the one that fits your use case.
By clicking on that service, you will be prompted to authorize data exchanges with it.
If this other service then agrees to this exchange, the global authorization is active between your two organizations and data exchanges can be configured.
Please note that if the authorization has not been made by both parties, further configuration of the data exchange is not possible.
Requesting Data
If the other party has confirmed the authorization, you can now configure data exchanges. In order to request data, navigate to the same exchanges page and get to the authorized service.
Now that the authorization is active, you will notice that the information you see is different from the initial information you saw for this service.
Listed on the left are all the types of data that this other organization is willing to share. And for each of them, you can request access to one or more of your services.
Data requests are made for a specific purpose, this is why you request data for one of your service and not globally. The provider of this data will then get a choice to authorize data per service.
Accepting Data Requests
If you have received incoming data requests from other organizations, you will be able to view them on the "demandes d'import" page.
This page lists all organizations that have requested your data as well as the amount of different requests you've received.
By viewing one of these requests, you are taken to a page summarizing the request, informing you of the data requested as well as for what purpose it has been requested. You now have the option to accept or deny the access to individual data for this exchange.
Implementing the API
A bit of useful information
Even if endpoints will be described here, there are resources to help you along the way.
Security
Every request you will make towards our API needs to be authenticated using a Bearer Authentication with an Authorization header.
You will need 2 keys in order to do that. Your Service Key and your Secret Key. Both are obtained through the Paramètres page.
The token to pass in the Authorization header is a JWT token generated from encoding the following object with your secretKey:
payload = {
serviceKey: YOUR_SERVICE_KEY,
iat: now,
exp: now+5min
}
Here's an example using jsonwebtoken npm module in NodeJS
const token = jwt.sign(
{
serviceKey: serviceKey,
iat: (new Date().getTime())
},
secretKey,
{ expiresIn: 5 * 60 }
);
Once you have your token, each request to our API will need the header such as :
Authorization Bearer JWT_TOKEN
Registering your users in VisionsTrust
For you to be able to generate consents and activate a data exchange for a specific user, you first need to register your user inside VisionsTrust.
This step is important as if you have no declared user, you will not be able to generate any kind of consent popup based on a data exchange configuration.
The choice of when to register the user inside Visions is up to you, however here are a couple use cases that other partners use for user registration.
| On signup | Registers the user when creating an account on your platform |
| User request | Asking the user if he wishes to take part in the data exchanges powered by Visions and registering him after he gives consent |
For new users, you can use the first method. For existing users, you can use whichever you choose.
If you plan to be a Data Consumer, having the registration on signup because users will be able to activate data exchanges from a partner platform to your platform and be requested to create an account on your platform to finalise the exchange. This is handled in this special case.
To register a user inside VisionsTrust please refer to this endpoint of our OpenAPI documentation.
Integrating the endpoints to activate the data exchange
To implement the data exchange functionality and participate in the network, you will need to configure and expose a couple of endpoints on your API. Before jumping into the technical requirements of the endpoints, take a look at the complete data exchange process on the diagram below.
Lets walk through it step by step
Suppose SI is the service importing data and SE is the service exporting data. For details on the endpoints to configure on your service, click the links in the explanation or scroll down to the next section.
| 1 | SI or SE requests the data exchange pop-up for the user. There can be 2 possible entry points for the process. Either a user is logged on SI and wants to import data from another service, or a user is logged on SE and wants to export data to another service. This is why the first arrow can come from both services. |
| 2 | Visions returns the data for you to generate the consent popup for the user. |
| 3 | The user selects the data he wishes to export / import and validates |
| 3-1 | When the user has no account in the Import service, the export service will redirect the user to the import service’s registration url to create an account |
| 3-2 | The Import service will create a new account for the user in their service, call the user creation route in Visions service and on response from Visions that the user has been created, will finally call the route to proceed with the consent creation and exchange. |
| 4 | Visions signs the consent and sends it to SE at the endpoint for Consent Export. |
| 5 | Export service generates an access token and sends it to Visions. |
| 6 | Visions attaches the access token to the consent, signs the consent again and sends it to SI at the endpoint for Consent Import. |
| 7 | Import service requests user selected data to SE at endpoint for Data Export, sending the consent |
| 8 | SE sends the received consent to Visions in order to validate provenance and get the user and data types concerned by the exchange |
| 9 | SE fetches data in their database and sends data to SI at endpoint for Data Import |
Integration Details
Now let's dive into the technical details and requirements of the endpoints to integrate and configure on your service.
Please keep in mind that if you are only providing data, only Consent Export and Data Export will need to be implemented.
Likewise, if you are only using data, only Consent Import & Data Import will need to be implemented.
Endpoint: Consent Export
This endpoint is meant to be integrated on the organization exporting data.
example: POST "/consent/export"
This endpoint is called by Visions and receives the following in the request body:
{
signedConsent: SIGNED_CONSENT
}
The content of the signedConsent is a signature of the content of the consent using RSA and the node crypto library.
In order to decode it you must use the public key described below.
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAs7c5/FFH8/52qhFoWXMS
zesJOCkPTB6381lRka7Egs+MQtTmcy0T+ipIpN7yWrUH2/vTcbRketbe/KdB7OEc
c6wfkH1lqPWH0BqszyKGDTO5HI+tbTcHX737FbV+X+xdx4vq7opQ65+eZ09zfagy
m5VUJiDinXlHfeAKkG2QjWR2yrjA4euIYZRaq1cj+zVHeTnHUtI/P8ANt4VGcWT7
M6HmLbrH12Ueglvv7VfSbhkjGeEYeoopXCEz2eZyOLafRSssh6YWEpaPB3G8BZRS
wCMbUajSnoUC+626AjLvXNt39wsWYCbQNtR3Zp09WtXL5arY4jJisPYxe+VWRUNb
9NYHVb1FuMFr8jCxdb0czISaRm9PKCW88Kv6qt6PC7Kzxc+kIGwf9H8nvBBxJYuU
49LRPHyEz+Di8DfsZuVCy1pkVheHwTQWycoi8jD86Rghj1vg9BYhW7n9BqQLLvxb
iF/QYTuxFaPz4YjXpfsgjx3hr30cJuSmSn2AeBgl5+e5W7qGqS8Hw9/JqCmF+0Y2
G3QLwnuaN6Ha9rTmB88HERP4OULmBNYpD+CTEdE/tglFuJYB9HrglmkXA8QK6taP
wJP5watrK2izg2w6/WFbY0mDEh6Q9hZ0ZDqBZGPuU0bIlLPCn695gVM8/420YeJZ
Gzl0WoFWTSg+E+vu9GeX55sCAwEAAQ==
-----END PUBLIC KEY-----
You can find an example of how it can be done in NodeJS in the public repo.
You will then need to generate an access token for the Import Service to use when requesting the data to you later on. This access token should not exceed 50 characters as it would break the limit of the signeable content size method that we use and break the process.
Finally you will need to send both the generated token and the consent ID to Visions. The endpoint in order to do that and to understand how to build the request body, please refer to this route description of our swagger documentation.
Important
Now that you have exposed this endpoint on your API, you need to inform the corresponding URL in the consent export url field of your service settings.
Endpoint: Consent Import
This endpoint is meant to be integrated on the organization importing data.
example: POST "/consent/import"
This endpoint is called by Visions and receives the following in the request body:
{
signedConsent: SIGNED_CONSENT // Bundled with access token
serviceExportUrl: "https://example.com/data/export" // The data export endpoint of the export service
}
The goal of this endpoint is rather simple. Since the Export Service will himself decrypt the signed consent to retrieve the access token, all you need to do is make a request to the received serviceExportUrl and passing it the following request body.
{
signedConsent: SIGNED_CONSENT // As received
dataImportUrl: "https://example.com/data/import" // Your own endpoint where the data will be received
}
Important
Now that you have exposed this endpoint on your API, you need to inform the corresponding URL in the consent import url field of your service settings.
Endpoint: Data Export
This endpoint is meant to be integrated on the organization exporting data.
example: POST "/data/export"
This endpoint is called by the Importing Service and receives the following in the request body:
{
signedConsent: SIGNED_CONSENT // Bundled with access token
dataImportUrl: "https://example.com/data/import" // The data import endpoint of the import service where you will send the data
}
There are multiple steps to accomplish inside this endpoint.
For starters, you will need to decrypt the signedConsent just like in the Consent Export endpoint.
As an optional step, you can verify the access token from the signed consent against the one you previously generated.
In any case, you will need to communicate with Visions the consentId from the decrypted signedConsent for us to verify the validity of the consent as well as receive the information on the actual data to send back. So we handle verification.
To build the request body for the call to Visions to verify the consent and retrieve the information on the Data involved, please refer to the appropriate API of our swagger documentation.
Essentially, you will receive the following information
{
"verified": true, // Verification of the consent
"userExport": { // Information on the user from the export service
"email": "string",
"userServiceId": "string" // The ID in the export service database
},
"userImport": { // Information on the user from the import service
"email": "string",
"userServiceId": "string" // The ID in the import service database
},
"dataImportEndpoint": "string", // The endpoint to which you will need to send the data in case it wasn't informed by the import service
"datatypes": [ // The selected data by the user on the consent popup
{
"name": "string",
"table": "string", // You will receive the structure of the data if you informed it on your VisionsTrust account
"fields": [
"string"
]
}
]
}
Using the received information you will need to do two things
- Get the selected data for the specified used from your database
-
Send the data to the dataImportEndpoit or dataImportUrl (they should be the same), with the following request body:
{ "data": {} // The data to send back -> The format should be decided between the two services, a pivot format is being elaborated with partners and will be communicated "user": userImport.userServiceId // The user id from the import service received "signedConsent": signedConsent }
Important
Now that you have exposed this endpoint on your API, you need to inform the corresponding URL in the data export url field of your service settings.
Endpoint: Data Import
This endpoint is meant to be integrated on the organization importing data.
example: POST "/data/import"
This endpoint receives the data coming from the Export service as well as a couple additionnal information.
The request body will look like so :
{
"data": {} // The data coming from the export service -> The format should be decided between the two services,
"user": "string" // The user id of your service, so you know for which user you need to register the data
"signedConsent": signedConsent // The signed consent
}
If you need some additionnal information such as the user email from the consent, you still have the option to decrypt the signedConsent. To do that, please refer to the section concerning the consent decryption in the consent export endpoint.
Important
Now that you have exposed this endpoint on your API, you need to inform the corresponding URL in the data import url field of your service settings.
Dealing With Special Cases
Some scenarios exist which require your service to configure some extra logic. The special cases are described in this section.
Activating A Data Exchange For A User Without An Account In The Importing Service
When a user activates a data exchange from an exporting platform and doesn't have an account in the platform that will receive the data, he has the option to specify that on the consent popup.
After validation, Visions will then build a redirection url made up of the registration url you informed in your service settings and two extra parameters like so:
"https://example.com/signup?consentId=THE_CONSENT_ID&visions=THE_ENCRYPTED_CONSENT_ID"
Essentially, the export service will use this url to redirect the user to your signup page that should be ready to interpret these parameters. Whether you want it to be on your existing signup page, or wish to create a specific page to handle this use case is up to you.
Following are the steps that should happen when arriving on this page.
| 1 | Register the user as you usually would on your platform |
| 2 | Register the user inside VisionsTrust using the same route from the section on user registration |
| 3 [optional] | Decrypt the visions parameter using a SHA256 algorithm and your service secret key (found in your service settings ) and compare it to the consentId to confirm the request is coming from Visions. |
| 4 | Communicate the consentId and the userKey you received from registering the user to this API for VisionsTrust to complete the exchange protocol. |
Generating Data Exchange Consent Popups for your users
Now that pretty much all of the backend is implemented, you are able to present data exchange popups to your users based on the exchange configurations you have made within the VisionsTrust web application.
There are two types of popus you can generate, a popup to export data if you are providing data, and a popup to import data if you have requested data from other sources.
Below are examples of how partners have integrated and designed consent popups based on the information we send back.
Notice that on the last one, there is a checkbox asking for the user to specify if he has an account in the receiving service. This is an important use case that is covered below.
Retrieve Information On All The Available Consent Popups
To retrieve the information about the popups you can present to your user, you can retrieve the information about all of your configured exchanges with other organizations.
The API to call is described here, and will allow you to then request individual consent popups by providing some of the information you receive.
Let's take a look at the information you receive
{
"export": [ // The list of available popups for exporting data
{
"service": "string", // The name of the service towards which you will export data
"purposes": [ // The list of configured exchanges with this service
{
"name": "string",
"id": "string", // ! This id is necessary for the popupRequestEndpoint request body
"flow": "export",
"popupRequestEndpoint": "https://visionstrust.com/v1/popup/export", // The endpoint to call to get this consent popup
"popupRequestMethod": "string",
"details": "string"
}
]
}
],
"import": [ // The list of available popups for importing data
{
"service": "string",
"purposes": [
{
"name": "string",
"id": "string",
"flow": "import",
"popupRequestEndpoint": "https://visionstrust.com/v1/popup/import",
"popupRequestMethod": "string",
"details": "string"
}
]
}
]
}
Based on this information you will then be able to generate export or import consent popups depending on what you have configured and will be available.
Data Export Consent Popup
Now that you have the information from the previous section, if you have an export consent popup available, you can call the popupRequestEndpoint to generate it. However, you must specify both the email of the currently logged user in your platform and the purpose id as described in the corresponding API.
Using the data gotten from the response to this call, you are now able to populate and build the consent popup for your user. If you want, we provide in our public repository, a HTML template for the popup (fully cuztomizeable) as well as some front end code to populate the popup.
Please note you may find yourself in one of 2 cases concerning the reception of the emailImport (the email from the user in the import service) when retrieving popup data.
| Case 1 | You received the emailImport, this means that the user account in the Import Service was found and linked to the user, in that case you do not need to request the user to enter his email in the popup and do not need to show the checkbox asking if he wishes to create an account in the importing service. |
| Case 2 | You have not received the emailImport, in that case you need to include an email field for the user to fill out and include the checkbox asking for the user to specify if he is going to create a new account in the importing service. |
Data Import Consent Popup
Now that you have the information from the previous section, if you have an export consent popup available, you can call the popupRequestEndpoint to generate it. However, you must specify both the email of the currently logged user in your platform and the purpose id as described in the corresponding API.
Using the data gotten from the response to this call, you are now able to populate and build the consent popup for your user. If you want, we provide in our public repository, a HTML template for the popup (fully cuztomizeable) as well as some front end code to populate the popup.
Launching The Actual Data Exchange
Now that you are able to present the consent exchange popup to your user, you will then be able to communicate to VisionsTrust the user data selection and launch the exchange process, may it be for an export or an import of data.
This section will walk you through the calls to make to the VisionsTrust API to activate the exchange protocol.
Starting The Export Data Exchange
In order to activate the export data exchange protocol, you need a couple of information. The details on how you should build your request is on this API but let's go over the details of what is required.
{
"datatypes": [ // The list of selected data by the user
{
"id": "string", // The id of the datatype (provided when generating the popup)
"datatype": "string", // The name of the datatype
"checked": true // If the user has selected it
}
],
"emailExport": "string", // The email of the user currently logged in
"emailImport": "string", // The email of the user in the importing service
"userKey": "string", // The userKey received when registering the user inside VisionsTrust
"purpose": "string", // The id of the purpose for which this exchange is taking place
"isNewAccount": true // Whether or not the user has checked a box saying he wishes to create an account in the Import service
}
An example of how this information can be taken from the popup and placed into this request is shown here in the public repository.
Starting The Import Data Exchange
In order to activate the import data exchange protocol, you need a couple of information. The details on how you should build your request is on this API but let's go over the details of what is required.
{
"datatypes": [ // The list of selected data by the user
{
"id": "string", // The id of the datatype (provided when generating the popup)
"datatype": "string", // The name of the datatype
"checked": true // If the user has selected it
}
],
"emailExport": "string", // The email of the user inside the exporting service
"emailImport": "string", // The email of the user currently logged in to your platform
"userKey": "string", // The userKey received when registering the user inside VisionsTrust
"serviceExport": "string" // The name of the Exporting Service
"purpose": "string", // The id of the purpose for which this exchange is taking place
}
As you might have noticed, the import popup can contain multiple exporting services but you only provide one service export name in the request. This is because you need to make consecutive calls for each data source from the consent popup and build the request body accordingly for each service.
An example of how this information can be taken from the popup and placed into this request is shown here in the public repository.
VisionsTrust SSO
We offer a Single Sign-On system to your end users to be able to simplify account management in the different plateforms and organizations. This system also removes some steps out of the exchange process and gives fluidity to the user experience.
SSO Overview
To understand how and why we are able to propose a Single Sign-On experience, let's see how identity management works within VisionsTrust.
By refering to the section on user registration, we understand that for each end user willing to exchange data, he will be registered in VisionsTrust from each and every platform he wishes to exchange from and with. This means that VisionsTrust holds a list of user identifiers for every platform that the user connected to.
This list of users is held within a higher leveled user, let's call it a global user, managed by Visions and acting as the user's VisionsTrust account. The user can use this account to connect to his personal VisionsTrust dashboard and different Visions apps. Ultimately, as the references for every user identifier is held within this global user, we can also use this account as the SSO login account and share the appropriate data to the platforms using the corresponding user identifier from the list.
An overview of the flow is described in the sequence diagram below
Or View this diagram on a separate tab
SSO : Getting Started
In order to use our SSO solution, you will first start by declaring that your application wants to use our SSO in your VisionsTrust Dashboard.
By navigating to SSO Configuration from the navigation menu, you will be redirected to a page where you can initialize SSO for your application by providing us a bit of information. Here's what we're asking from you :
- The origin url of your application which will allow us to do some verifications on trusted origins.
- The endpoint from which you will be verifying the user session within the SSO server. This enables us to generate redirection urls to this endpoint when activating a data exchange for the user to come authenticate / create an account on your platform through the sso automatically.
These endpoints can be changed at any point later on.
Once you're done click the button to validate and you will be redirected to a page summarizing your information and some authorization credentials will have been generated for you. This authorization key will be used in your authorization header to the SSO server.
SSO : User Authentication
When trying to log a user to the sso server you can be in one of 2 situations. Either you have previously logged the user through SSO and you kept the globalSessionID returned by the SSO server and he has an active session on your platform, or your user has no active session on your platform.
If your user has no active session on your platform and tries to log in through the sso, you will need to redirect him to the following endpoint to retrieve an access token :
https://sso.visionstrust.com/sso/login?serviceURL=REDIRECT_URL
The redirect url must be the endpoint from which you will then call the sso server again to verify the access token retrieved.
SSO : Token Verification
Calling the sso login endpoint will result in the sso server redirecting the user to the redirectURL you defined and adding to it a ssoToken query parameter. This ssoToken is the access token you need to communicate to the sso server to verify it and essentially log your user in your platform.
The endpoint for token verification is the following
https://sso.visionstrust.com/sso/verifytoken?ssoToken=THE_SSO_TOKEN_RECEIVED
This call returns a token in the response that then needs to be decoded with the public key that can be found in your SSO Configuration page and verifying the issuer as "visionstrust-sso-server".
Below is an example of how it can be decoded using NodeJS and the jsonwebtoken npm package.
const ISSUER = 'visionstrust-sso-server';
const verifyJwtToken = (token) =>
new Promise((resolve, reject) => {
jwt.verify(token, publicKey, { issuer: ISSUER, algorithms: ['RS256'] }, (err, decoded) => {
if (err) return reject(err);
return resolve(decoded);
});
});
Once decoded, the retrieved information will have the following format :
{
firstName: string,
lastName: string,
email: string,
activeUseCase: string | null, // The ongoing experience of the User if any
experienceContext: string | null, // The context inside of which the experience is taking place
publicReportURL: string | null, // The user's public Bilan d'Orientation URL
uid: string,
globalSessionID: string,
iat: number,
exp: number,
iss: 'visionstrust-sso-server',
}
Using this information you can then log the user in, or create an account for him.
The globalSessionID can be a useful information to hold in the user's session as it can be used to verify if the user is still logged in to the SSO server. That way if the user logs out globally from the sso server, all sessions across platforms will be invalidated, assuming they implement the session verification call.
SSO : Session Verification
If your user has an active session on your platform, and if you previously logged him through our sso, assuming you've stored the globalSessionID returned from the sso server on the user session, you can verify the active session of the user on the sso.
The endpoint to call for this is
https://sso.visionstrust.com/sso/verifysession/:globalSessionID
Following is a list of possible response status codes
| 200 | The user is logged into the SSO |
| 400 | globalSessionID parameter is probably missing |
| 404 | User is not logged into the SSO, you need to redirect him to the sso login url with your redirect url |
Integrating SSO with the consents and data exchange protocol
We've covered the basics of the communication with the sso server. Now we'll see how to integrate this to the exchange protocols.
Rest assured, it's not much more than what we've done so far.
The complete flow of operations is described in the sequence diagram below, from the user login to the end of the exchange. The diagram is quite heavy but you'll see it mentions a bunch of things that you've already implemented.
Or View this diagram on a separate tab
So there are a couple of things to mention here. First of all, this flow can only happen if both platforms configured the sso and activated it. For the rest, here's what the changes are for you from the non-sso exchange flow:
| Exporting Platform | The user must be logged in through SSO before confirming his data selection on the consent popup. |
| Importing Platform | The user will be redirected to the sso login endpoint you defined in your SSO configuration and have, as usual, the sso token, but will also have the consentId for you to be able to relaunch the exchange process after logging / creating the user through the SSO, just as you would after creating the user on a regular non-sso exchange. |
Exporting Platform Changes
As mentionned above, the user must be logged in through the SSO if an exchange is to be enabled between two platforms that have configured and activated the SSO.
Important Note: If you activated the SSO for your platform and the target one has not, VisionsTrust will process this information and do a regular non-sso flow instead without you having to exchange anything. So if you use our SSO we strongly recommend you always verify the user is logged in to our SSO before showing him the consent popup. That way you are safe from potential errors.
Ultimately, all you need to do is use the verify the user session in the SSO, and if no session is found, authenticate the user. Once the user is logged in, you can safely show the data exchange consent popup to the user.
Importing Platform Changes
When the user gives his consent from the export platform and he doesn't have an accont in your platform yet, VisionsTrust will generate a redirection url based on the url you defined as your sso token check (sso login) url with the ssoToken as a query parameter. When integrated with the consent protocol, this url will contain the consentId query parameter as well. The user will be redirected to this url, an example is shown below :
https://example.com/sso/login?ssoToken=THE_SSO_TOKEN_TO_CHECK&consentId=THE_CONSENT_ID
The first steps to processing this endpoint are not different than what you did for the Token Verification, but adds a little complexity and information processing to the algorithm.
Essentially, you need to verify for the presence of the consentId in the request query parameters, and if it is present, create the user, register the user inside VisionsTrust and then relaunch the exchange process just as you do it in the Special case where the user has no account.
Below is a NodeJS + express code example of a method making all the verifications and that is able to process both if it is a regular exchange or an exchange where the user has no account in your platform.
const ssoRedirect = async (req, res, next) => {
const SSO_SERVER_JWT_URL = 'https://sso.visionstrust.com/sso/verifytoken';
// Try and obtain the ssoToken + the consentId from the request
const { ssoToken, consentId } = req.query;
// Build the request to the sso server accordingly depending on the presence of the consentId
const baseUrl = `${SSO_SERVER_JWT_URL}?ssoToken=${ssoToken}`;
const requestUrl = consentId ? `${baseUrl}&consentId=${consentId}` : baseUrl;
try {
// Verify the sso token wih the sso server
const ssoTokenVerificationResponse = await axios.get(requestUrl, {
headers: {
'content-type': 'application/json',
authorization: 'Bearer ' + YOUR_SSO_KEY,
},
});
// Try and obtain the resulting token and consentId if defined
const { token, consentId } = ssoTokenVerificationResponse.data;
// Decode the token
const decoded = await verifyJwtToken(token);
// Save the decoded data as you wish
// As stated it is useful to keep at least the globalSessionID in the user session
req.session.user = decoded;
try {
// Try and get an existing visionstrust user registered
// by your platform in VisionsTrust
const visionsUserGetResponse = await axios({
url: 'https://visionstrust.com/v1/users/' + decoded.email,
method: 'GET',
headers: {
'content-type': 'application/json',
authorization: 'bearer ' + YOUR_VISIONSTRUST_AUTH_JWT,
},
});
// If you already have a user then just log him in how you want
// This also means that the consentId is undefined as the exchange has already completed
req.session._vtUser = visionsUserGetResponse.data;
} catch (e) {
// No existing user registered by you found in VisionsTrust for this email
if (e.isAxiosError && e.response.status == 404) {
// Create a user with this email by first saving it in your DB to get an ID
// The ID is the userServiceID to specify in POST /users
const userCreateResponse = await createUser(req.session.user.email);
req.session._vtUser = userCreateResponse.data;
// Now that the user is created, you can relaunch the exchange process as you
// normally do in a situation where the user has no account in your service
if (consentId) {
try {
await relaunchProcess(userCreateResponse.data.userKey, consentId);
} catch (err) {
// Process errors
}
}
return next();
}
}
} catch (err) {
// Process errors
}
return next();
};
Infrastructure Services
For services who are neither data providers or consumers, but are services who can act on data before it being sent to the data receiver, such as interoperability services, data analysis services and such, VisionsTrust enables a protocol that allows just that.
This protocol allows a data consumer to request the use of these specific Infrastructure services to act on the data before it is received.
Overview
If you are already familiar on how the exchange protocol works, the specificities of the infrastucture service exchange protocol will not come as a surprise.
Below is a diagram demonstrating how this protocol works.
As you can see, the protocol is pretty much the same but the Infrastructure service is placed in between the Data Provider and the Data Consumer to be able to intercept the data before sending it back to the Data Consumer. It "impersonates" the Data Consumer service to make the data request to the Data Provider. This allows VisionsTrust to propose this protocol as an add-on that does not require any integration changes for the Data Provider or the Data Consumer.
VisionsTrust handles all the logic needed to send the consent (n#3) and the access token to the infrastucture service that the Data Consumer will have previously selected and authorized for that data exchange. VisionsTrust also handles which endpoint to provide the Data Provider (n#5) for it to send the data to the Infrastructure service instead of the Data Consumer directly.
The one extra step required for this protocol to work, is that the infrastructure service needs to know where to send the data in the end. This is why the step n#7 is in place, allowing for the infrastructure service to verify the signed consent it will have received as well as obtain the correct data import endpoint to which it should send the data after processing.
Integrations
This section goes more into details on the actual logic implementation required by the Infrastructure service in order for this protocol to work correctly.
Consent Import
This endpoint receives a payload of the following format. The actions to do on this endpoint are those defined in the consent import section of the regular exchange protocol.
{
signedConsent: string,
isInteropProtocol: boolean,
serviceExportUrl: string,
dataImportUrl: string,
}
Below is some example logic under NodeJs & Express on what this endpoint should do
app.post("/consent/import", async (req, res, next) => {
try {
const { serviceExportUrl, signedConsent, dataImportUrl } = req.body;
await axios({
url: serviceExportUrl,
method: "POST",
data: {
signedConsent: signedConsent,
dataImportUrl: dataImportUrl,
},
});
return res.status(200).json({ msg: "OK" });
} catch (error) {
next(error);
}
});
Data Import
This endpoint receives a payload of the following format. The actions to do on this endpoint differ from the ones defined in the regular data exchange protocol.
{
data: any,
dataImportUrl: string,
isInteropProtocol: boolean,
user: any,
signedConsent: string,
}
On this endpoint, it is required that you verify the received signedConsent with VisionsTrust in order to obtain the final endpoint to which you will be sending the data after being processed by your infrastructure service.
The endpoint to call is defined in the API documentation.
Below is some example logic under NodeJs & Express on what this endpoint should do
app.post("/data/import", async (req, res, next) => {
try {
// Send ok Response to requester
res.status(200).json({ message: "OK" });
// If you are not an interoperability service, you can just
// process the data here and be done with it
// The following applies for interoperability services
// If you are interoperability service, send the signed consent
// to VisionsTrust to check if it is an interoperability active
// consent exchange + get the final data receiver service url.
// As the documentation states, you should receive the signed
// consent as well as some user information in the import service.
// Use the signed consent to validate it and get the final data import endpoint
// and use the rest of the information received to build a request
// with a payload that should match the format of the one you received
const { data, user, signedConsent } = req.body;
const verification = await axios({
method: "POST",
url: "https://visionstrust.com/v1/consents/exchange/interop/verify",
data: {
signedConsent,
},
headers: {
"content-type": "application/json",
authorization: `Bearer YOUR_AUTH_TOKEN`,
},
});
const { dataImportUrl } = verification;
// PROCESS INTEROP DATA AS YOU PLEASE
const interopData = data; // Porcessed
// Send data to import service with a payload format matching the one
// you received
await axios({
method: "POST",
url: dataImportUrl,
data: {
data: interopData,
user,
signedConsent,
},
});
} catch (error) {
next(error);
}
});