Authenticating an Archicad user in a 3rd party system

BenjiDev · Saturday

Hello, I know it is possible to get the user id of a user:

https://community.graphisoft.com/t5/Developer-Insights/Introducing-new-user-identification-to-the-AP...

But is it possible to verify it?

Let's say I make an Add-on that I sell.

ACAPI_Protection_GetGSIDUserId

Seems like a good identifier to tie a license of the Add-on to, because it represents an Archicad user.

So to purchase a license for the Add-on the user just has to provide this ID (or if purchase is done in the Add-on it can be retrieved) and stored on a license server.

Then the Add-on can retrieve the same ID and check if it exists on the license server to verify that the user "has" a license to the Add-on.

Problem is that I don't know how to verify this ID on the license server, how can the license server (or other 3rd party systems) know that the id it gets is a valid Graphisoft user ID?

Is it possible to get a signed graphisoft user id that can be verified. Or a token of some sorts, that a 3rd party system can verify with a graphisoft controlled server?

Paid Add-ons I've seen often requires the user to register separately in their system with traditional email + password. But if you where able to trust the Graphisoft user id (and additionally the organization id) you could make a system where the user can access their 3rd party Add-on licenses through their Graphisoft account.

Ralph Wessel · Sunday

I don't believe there is any way to obtain information about an ID from Graphisoft. But if you support purchasing through an add-ons, presumably you can be confident that the ID it submits to your server is legitimate?

Ralph Wessel BArch
Central Innovation

BenjiDev · Monday

Thanks for the answer. Yes I can trust the Add-On but the license server cannot be confident that what it receives was submited from the add-on.

A technical user could submit (using tools separate from the Add-On) the graphisoft user id of another user to get access to their Add-On licenses. They could also circumvent any 30 day add-on trial by sending random strings as user ids (interpreted as new users on the license server).

The Add-On could sign the user id before sending, but that requires distributing a private key with the Add-On. Would be nice if assurance could come from graphisoft.

Lingwisyer · yesterday

Is it possible to request the device name? Basically a second point of identification to make spoofing more of a hassel?

Ling.

AC22-29 AUS 3200	Help Those Help You - Add a Signature
Self-taught, bend it till it breaks	Creating a Thread
Win11 \| i9 10850K \| 64GB \| RX6600	Win11 \| 5900X \| 32GB \| GTX2080TI

BenjiDev · yesterday

Yeah, but a legitimate user could use different devices with the same account. So the server cannot know that an unrecognized device ID for a specific Graphisoft user ID is illegitimate or not.

Lingwisyer · 14 hours ago

Much like Adobe, you could allow two or three devices with request to the server required for a reset. Unless a person hotdesks, they are probably not working on more than three devices. It would also reduce trial time limit circumvention as the user would need to change their device name as well each time which could cause other inconveniences.

Ling.

AC22-29 AUS 3200	Help Those Help You - Add a Signature
Self-taught, bend it till it breaks	Creating a Thread
Win11 \| i9 10850K \| 64GB \| RX6600	Win11 \| 5900X \| 32GB \| GTX2080TI

Authenticating an Archicad user in a 3rd party system

Didn't find the answer?

Check other topics in this Forum

Read the latest accepted solutions!

Start a new conversation!