6.2 Obtaining an extension token for Select Security Device

Before you can call the MyID Client Service API to open the Select Security Device dialog authenticated with the logged-on operator, you must obtain an extension token for this particular operation – this is a short-lived authorization code for a single use.

Note: This authenticated mode provides user images and full names on the smart card selection screen based on the scope and administration groups of the logged-on user. If you do not need to display this additional detail, you can call the SelectCard method of the MyID Client Service API without the Token parameter; in this case, you do not need to obtain an extension token.

To use authenticated mode, you must ensure that the MyID web.oauth2 server is configured to allow a scope of myid.devicepicker. Check the appsettings.json file (by default, in the C:\Program Files\Intercede\MyID\web.oauth2\ folder) for the following:

• In the Scopes array, a scope called myid.devicepicker exists, with the following UserClaims:

  • deviceDetectContext

  • op

  • myidSessionId

• In the ApiResources array, for the resource with name myid.mws, the scope myid.devicepicker is in the Scopes array.

• In the Clients array, for the client with ID myid.mcs, the scope myid.devicepicker is in the AllowedScopes array.

To obtain the extension token:

1. Post the following information to the MyID token URL:

   https://<server>/web.oauth2/connect/token

   • client_id – set this to myid.mcs

   • grant_type – set this to operation

   • op – set this to the ID of the Read Card (Authenticated) operation. This is 100221.

   • scope – set this to myid.devicepicker

   • token – set this to your existing authorization token.

     See section 3.3, Obtaining a server-to-server access token, section 4.2, Obtaining an end-user based access token using PKCE, or section 4.3, Obtaining an end-user based access token using a client secret for details.

   • deviceDetectContext – reserved for future use. Leave as an empty query parameter.

2. Capture the access token that is returned.

   You can now use this access token in the Token argument of the SelectCard method of the MyID Client Service API to launch the Select Security Device dialog authenticated with the logged-on operator.