Geolocation & Authorization info collection

[AlexLobaciov]

Summary:
Reference issue: saltedge/sca-identity-service-example#55

Task:

• 1. On application setup or within the enrollment procedure (if you decide to go with logic described under point 1.3 here) - ask user for permission to collect his GPS data.
  • Text update: "The information on your location will be collected at the time when you authorize action. The collected information will be used for accurate Transaction Risk Analysis"

Example

• 2. User's location by GPS should determine the 'latitude' and 'longitude', collected data should be sent with action authorization response, see reference issue
• 3. Additionally, method of user auhtorization, either Passcode or Biometrics - should be collected and sent with action authorization response, see reference issue
• 4. Please update Mobile SDK accordingly

UPDATE

User flow:

PROTOYPE = "SCA geolocation" page in default Figma file.

1) "Access to device location" (granting permission) when provider sets it as mandatory

---

A. Geolocation access after successful enrollment.

Once new connection is finished, user sees system window "Allow Salt Edge Authenticator to access this device's location?", with options "Allow only while using the app" and "Deny".

1. User taps on "Allow only while using the app"

• Access is granted (good-case scenario), system dialogue window closes, user can tap on "Done" to finish the enrollment.
• If GPS is turned on, then all the following authorization requests will get geolocation info while app is in use only

2. User taps on "Deny" (see paragraphs B & C)

• Access to device location is not granted, system window closes, user can tap on "Done" to finish the enrollment
• On "Connections" page, the connection status is "Grant access to location data" (see C for details)

---

B. Geolocation access if "Denied" after enrollment

If user denied to grant permission for Salt Edge Authenticator to grant access to geolocation data, then user should be asked about it once again later.

User got pending action authorization.

1. For pending authorization request, by tap on "Allow" or "Deny", user sees dialogue window with explanation why is geolocation data required with title "Grant access to location", description "Your service provider is requesting you to provide your location data every time you are authorizing an action for accurate risk analysis.", and buttons "CANCEL" and "PROCEED".

• Button "CANCEL" just closes the dialogue window (loop)
• Button "PROCEED" opens again the system window with question "Allow Salt Edge Authenticator to access this device's location?", with options "Allow only while using the app", "Deny" and new one "Deny & don't ask again" (when same app asks this for second time).

2. User sees system window to grant access to location service for the second time.

• User taps on "Allow only while using the app". Access is granted, system dialogue window closes, user can tap on "Allow"/"Deny" to authorize action.
• User taps on "Deny", system window closes and we have a loop (by tap on "Allow"/"Deny", dialogue window from point 1 is opened again)
• User taps on "Deny & don't ask again", system window closes. The next time user taps on "Allow"/"Deny", dialogue window from point 1 is opened again, but the dialogue window now should have buttons "CANCEL" and "GO TO SETTINGS". Button "GO TO SETTINGS" opens "App info" page in Android Settings, where user has to manually grant permission to Location services.

As a result, it is required for user to grant permission to access geolocation services for this specific provider. Until then, user cannot authorize any action.

---

C. Connection status if access not granted

If user did not grant the access to location user can see a different connection status:

1. On "Connections" page, the connection status is "Grant access to location data" and marked with yellow color (FFC130 - for both dark and light themes). The connection menu contains new field "Access to Location".
2. By tap on "Access to Location", dialogue window opens with explanation why is geolocation data required with title "Grant access to location", description "Your service provider is requesting you to provide your location data every time you are authorizing an action for accurate risk analysis.", and buttons "CANCEL" and "PROCEED".

• Button "CANCEL" just closes the dialogue window is takes user to standard view of the "Connection" page
• Button "PROCEED" opens again the system window with question "Allow Salt Edge Authenticator to access this device's location?", with options "Allow only while using the app", "Deny" and "Deny & don't ask again" (when app asks this for second time).

3. If user has previously answered "Deny and dont ask again" when asked about granting permission to location data, then the dialogue window should have buttons "CANCEL" and "GO TO SETTINGS"

• Button "GO TO SETTINGS" opens "App info" page in Android Settings, where user has to manually grant permission to Location services.

---

2) "Enable GPS" (turn on location service) when provider sets geolocation data as mandatory

If access to geolocation data is granted for Salt Edge Authenticator app, but GPS service is currently disabled/turned off, then when user got pending action authorization, by tap on "Allow" or "Deny", user sees dialogue window with title "Enable GPS", description "Please enable GPS. Your service provider is requesting your location for accurate risk analysis.", and buttons "CANCEL" and "ENABLE"

• Button "CANCEL" just closes the dialogue window
• Button "ENABLE" should turn on the GPS service.
• If button "ENABLE" cannot directly turn on the GPS service, then, as a fallback option, user should be taken to "Location" settings in Android Settings, where he turns on GPS manually and once he is back to Salt Edge Authenticator, he is allow to authorize action via "Allow" and "Deny" buttons.

---

3) "Access to device location" and enabling GPS when provider sets it as optional

1. Access to geolocation. After enrollment, ask user once for the access to location data

• if user taps on "Allow while using the app" - good, let's collect this data during action authorization and if GPS service is turned on
• if user taps on "Deny" - user does not want to share this data, and app should not ask user again about it (for this provider)
• there is no change in Connection status

2. Enabling GPS:

• Don't ask user to turn on GPS when authorizing the action, even if access to location data permission is granted

---

Thanks!

[baller784]

1. In the Connection response, should be parsed a new field - isGeolocationRequired.

• isGeolocationRequired [bool, optional]

  Add a new optional Bool field isGeolocationRequired in the Connection model.

2. After the successful Connection enrolment, check the received isGeolocationRequired field:

• If isGeoloctionRequired is nil, skip this step.
• If isGeoloctionRequired is true, and sharing of the geolocation isn’t already enabled, the mobile app should ask for the permission for Geolocation usage.
• If isGeolocationRequired is false, and sharing of the geolocation isn’t already enabled, the mobile app should ask for the permission for Geolocation usage.

3. When a mobile application receives the Authorization, check whether this provider requires the geolocation. Access the Authorization’s connection, by the connectionId, which is already in the authorization response.

4. Authorization flow:

• If isGeolocationRequired true, and geolocation sharing is enabled, allow user to make an action
• If isGeolocationRequired is true and the user has declined the geolocation permission, hide the action buttons(Confirm/deny) and replace buttons with the following text: “Your service provider requires your GPS data to authorize action. To continue, please allow using the geolocation in your phone settings”.
• If isGeolocationRequired false allow user to make an action
• If isGeolocationRequired is nil allow user to make an action

5. Add GEO-Location header. Geolocation will be shared with SCA service as a HTTP Header in the next format:

   GEO-Location [string, optional]
   Format using [RFC2426], i.e. GEO:<latitude>;<longitude>

   Example:
   GEO-Location: “GEO:52.506931;13.144558”

6. By confirming/denying the Authorization the HTTP request should contain the geolocation header. Retrieve the user’s geolocation using the mobile location api and make the request.

[baller784]

Point 3. User authorization type.

We should send the type of how user has been authorized in the app, using biometrics or passcode. To do this, would be a better choice to create a global variable somewhere in the app, which will store the authorization type.

Example:
var userAuthorizationType = "biometrics"

The userAuthorizationType should be send, when confirming/denying the authorization, as an HTTP header in the following format:

Authorization-Type [string, required]

Example:
"Authorization-Type": "biometrics"

Backend could ignore extra headers, that's why we can send the Authorization-Type with every authorization request.

[AlexLobaciov]

@ConstantinKV

Please consider the following flows with issues to be fixed:

• User creates connection (enrollment) > as a result app is asking for permission to "Allow access to location while using the app", which is perfectly fine, but if I tap on "DENY", the application never asks me again about granting permission for using geolocation. With value "true" from provider, user MUST provide location per each authorization request. Hence, the next time, when user has authorization request to be confirmed, it is necessary to ask user again to grant permission for geolocation.
• With condition if isGeoloctionRequired is true, it is also required for Android app to require "enabling" the GPS (Location) functionality. In most cases, user's location feature is turned off. Now, after what permission is granted, but functionality "location" is turned off, the Identity Service does not get the location info. Hence, each time, when user has authorization request to be confirmed, it is necessary to ask user to enable "location" service. See example below.

I suggest using following message:

• Title: "Enable GPS"
• Description: "Please enable GPS. Your service provider is requesting your location for accurate risk analysis."
• Buttons: "CANCEL" & "ENABLE"

The "ENABLE" button takes user to the respective "Location" feature in Settings menu, where he can turn on GPS.

Example:

[AlexLobaciov]

@mnewlive

Please review the update in the issue description.

[ConstantinKV]

@mnewlive take a look to this articles
https://www.codeproject.com/Questions/613512/How-to-start-GPS-ON-and-OFF-programatically-in-And
https://stackoverflow.com/questions/4721449/how-can-i-enable-or-disable-the-gps-programmatically-on-android

[AlexLobaciov]

@mnewlive

• 1) Please try to realize the following point, since there are such implementations in other app: "Button "ENABLE" should turn on the GPS service directly", without sending user to Location Settings.
• 2) If access is not granted, the connection menu has point "Access to Locations" in 2 rows, please rename to "Access to location" and fit in single row
• 3) As discussed, please update the "marker" icon in connections menu

[AlexLobaciov]

@mnewlive

Point 2 - "2) "Enable GPS" (turn on location service) when provider sets geolocation data as mandatory" - not necessary to do, as discussed

New logic:

• 1) If Location ON and permission granted > location data taken from GPS
• 2) If Location OFF and permission granted > location data taken from network

Thanks!