Integration¶
Architecture overview¶
To access the XpressID service, Veridas will provide you with the following credentials:
- XpressID_URL: This URL varies depending on the environment (sandbox: https://xpressid-web-work.eu.veri-das.com or production: https://xpressid-web.eu.veri-das.com), region, and other factors. Veridas will provide you with the appropriate URL based on your needs. Use this URL with the XpressID module for seamless integration.
- XpressID_API_URL: This URL also varies depending on the environment and region (sandbox: https://api-work.eu.veri-das.com/xpressid or production: https://api.eu.veri-das.com/xpressid). It points directly to the XpressID application, specifically for the authentication API. Veridas will provide you with this URL as well.
- API_KEY: This is a unique identifier for your client account. Keep this API key confidential and secure as it grants access to your XpressID services through the
XpressID_API_URL
.
To ensure compliance with Veridas' security protocols, clients must provide information regarding the server IPs where XpressID integration is planned. It's important to note that this security measure is exclusive to production environments and does not apply to the sandbox.
Achieving a functional integration of the XpressID service within a customer's infrastructure necessitates interaction with two key elements.
Authentication API¶
To obtain the access tokens necessary for the XpressID module, it is imperative that requests be initiated exclusively from your backend system. These requests should encompass your onboarding flow configuration. The API_KEY
value is particularly crucial in this context. For enhanced security, it is strongly advised to implement precautionary measures, including incorporating a login step before accessing XpressID. Additionally, introducing a captcha step to mitigate potential abuse and enforcing a rate limit mechanism to prevent multiple requests from the same IP address are recommended practices.
Moreover, it is advisable to integrate Distributed Denial of Service (DDoS) mitigation measures to fortify the system against potential malicious attacks. These collective measures contribute to a robust security framework, safeguarding the XpressID integration and ensuring a secure and reliable operation of the service within your application's ecosystem.
XpressID Module¶
In this context, XpressID module is seamlessly integrated into the application as a library, using both the XpressID_URL
and the ACCESS_TOKEN
obtained during the authentication API step. The Android code for XpressID is designed for frontend implementation. However, to maintain security, refrain from including the API_KEY
variable in the frontend. Manage the API_KEY
exclusively within the backend, where robust security measures can be implemented to mitigate the risk of exposing confidential data through the frontend. A valid XpressID_URL
and access token are essential for a successful launch, emphasizing the need for secure backend handling during the authentication process.
The recommended architecture of a solution with a native application using XpressID service should follow next diagram.
Interaction | Description |
---|---|
1 | The user logs in within your frontend application. |
2 | Your backend application requests a token from XpressID Auth API using the XpressID_API_URL and the API_KEY . You can check how the request is made here |
3 | XpressID Auth API returns the response for the token request. |
4 | Your backend application processes the response from the token request to return the ACCESS_TOKEN to your frontend application. |
5 | Your frontend application will use the XpressID_URL and the ACCESS_TOKEN to launch the XpressID Module. You can see how the module integration works here. |
6 | Module will notify your frontend application when the process is completed. |
Module integration¶
The following steps present the preparations that must be made in order to use XpressID module within your Android application.
This subsection refers to the Your Frontend App (Native)
block from the diagram above.
-
Create a new Android project (or use an existing one).
-
Add all XpressID-Android distributables (.aar/.jar) to the
app/libs
folder: -
Update app's
build.gradle
file to set the implementations of all .aar and .jar packages present in app/libs folder, adding next line:Groovy
ktsimplementation fileTree(dir: 'libs', include: ['*.aar', '*.jar'])
implementation(fileTree(mapOf("dir" to "libs", "include" to listOf("*.jar","*.aar"))))
-
Add the XpressID module dependencies to app's
build.gradle
file:Groovy
ktsimplementation "com.github.bumptech.glide:glide:4.12.0" implementation "com.airbnb.android:lottie:6.0.0" implementation "com.google.android.gms:play-services-mlkit-face-detection:16.2.1" implementation "net.lingala.zip4j:zip4j:2.9.1" implementation "com.squareup.okhttp3:okhttp:4.10.0" implementation "org.jetbrains.kotlinx:kotlinx-serialization-json:1.3.2" implementation "com.auth0.android:jwtdecode:2.0.1" implementation "androidx.legacy:legacy-support-v13:1.0.0"
implementation ("com.github.bumptech.glide:glide:4.12.0") implementation ("com.airbnb.android:lottie:6.0.0") implementation ("com.google.android.gms:play-services-mlkit-face-detection:16.2.1") implementation ("net.lingala.zip4j:zip4j:2.9.1") implementation ("com.squareup.okhttp3:okhttp:4.10.0") implementation ("org.jetbrains.kotlinx:kotlinx-serialization-json:1.3.2") implementation ("com.auth0.android:jwtdecode:2.0.1") implementation ("androidx.legacy:legacy-support-v13:1.0.0")
-
Update app's
build.gradle
dependencyandroidx.core:core-ktx
to version1.12.0
.
This will also require to setcompileSdk 34
. -
Add next block inside
android
section within app'sbuild.gradle
file:Groovy
ktsviewBinding { enabled = true }
viewBinding { enable = true }
-
Add
largeHeap
parameter into theAndroidManifest.xml
as follows:<application android:largeHeap="true"> </application>
-
Add
tools:replace
parameter into theAndroidManifest.xml
as follows:<application tools:replace="android:theme"> </application>
-
Implement the interface named
XpressID.XpressIDDelegate
. - Call the module start method
XpressID.start()
using a valid XpressID_URL and access token. (See the integration example for more details).
Once the XpressID process completes or an error occurs, the callback method onXpressIDFinished() will be invoked by XpressID module; indicating whether the process has completed successfully or, on the contrary, there was an error.
Example: Module integration (Kotlin)¶
This example presents the minimal code you need to add to your Android application in order to run XpressID module and at this point you will need the XpressID_URL and a valid Access_Token.
This subsection refers to the steps 9 and 10 of the module integration section.
class MainActivity : XpressID.XpressIDDelegate, AppCompatActivity() {
private val XPRESSID_URL = "Your XpressID_URL"
private val ACCESS_TOKEN = "Your Access_Token"
override fun onCreate(savedInstanceState: Bundle?) {
super.onCreate(savedInstanceState)
setContentView(R.layout.activity_main)
try {
XpressID.start(this, this, XPRESSID_URL, ACCESS_TOKEN)
} catch (error: Exception) {
println(error)
}
}
override fun onXpressIDFinished(successfully: Boolean, error: XpressIDError?) {
println("onXpressIDFinished | successfully: $successfully | error: ${error?.message}")
}
}