Soracom Endorse

URL Redirection

Because we can take advantage of Soracom Endorse's Request Parameters option, we can append any data that would be useful for authorizing access to a network resource by simply appending that data to the HTTP token request:

curl https://endorse.soracom.io?username=sora

We can then combine the additional request parameters with Endorse's redirect_url behavior to create a login page that will authorize logins based on username and IMSI, rather than username and password.

Components

Endorse Options

To do this, we need to first enable the following Endorse options:

Login Page

Next, we need to build a simple login page with a username field, which will POST an HTTP request to Endorse, including our desired redirect_url in the POST URL, and our username in the POST body:

Issue Token and Redirect

When we submit our form while connected using a Soracom Air cellular connection, Endorse will issue a token and return an HTTP redirect response to https://myserver.example.com/login, with the issued token and username as the POST body.

Our server will receive the redirected requested, along with the following POST body content:

soracom_endorse_token={ENDORSE-TOKEN}

Server Verification

We can then use a JWT library to decode the header and payload of the token. In order to authorize access:

  1. Our server should download the public key indicated in the JWT header kid property.
  2. Our server should then verify the token signature using the public key. If the signatures match, then:
  3. Decode the payload of the token in order to extract the username (provided by the Request parameters option), and the imsi (provided by Endorse).
  4. Our server should finally confirm that the username and imsi match existing records, and proceed with logging the user in.