Bundle more data with the license key on the user side? #91

nschloe · 2023-08-08T19:45:38Z

nschloe
Aug 8, 2023

Based on #90, where it is suggested to store the product name along with the license key, I'm wondering what other data might be worth storing along with the key. What comes to mind:

Boolean if fingerprinted authentication is required
API URL
account ID
public verify key
product name
...?

I'm thinking about providing a base64-encoded list with the key and all of the above data to my users, and have it stored somewhere on their computers. It seems a bit weird at first sight, especially with offline licenses, to provide the verify key along with the license key. Could this be abused in some way?

Answered by ezekg

Aug 8, 2023

You can add this data yourself using a custom key dataset during license creation. We don't include e.g. product name because it can change, rendering the license key outdated (and unable to be updated without generating a brand new key). But feel free to add this data during license creation if you are aware of the risks.

Or better yet, use a license file to store this information, checked out by an admin. Admins can include the product and policy objects using ?include=product,policy during checkout. License files allow you to embed this type of data in a way that can be "refreshed" later on via a subsequent checkout, instead of requiring a new license to be created when the embedded da…

View full answer

ezekg · 2023-08-08T20:12:25Z

ezekg
Aug 8, 2023
Maintainer

You can add this data yourself using a custom key dataset during license creation. We don't include e.g. product name because it can change, rendering the license key outdated (and unable to be updated without generating a brand new key). But feel free to add this data during license creation if you are aware of the risks.

Or better yet, use a license file to store this information, checked out by an admin. Admins can include the product and policy objects using ?include=product,policy during checkout. License files allow you to embed this type of data in a way that can be "refreshed" later on via a subsequent checkout, instead of requiring a new license to be created when the embedded data inevitably changes. License files were introduced last year for this exact reason.

Regarding public keys — I DO NOT recommend making that a variable. If you do, nothing stops a bad actor from crafting their own key license with their own public key inside of it, which will then pass verification (since you're trusting the public key embedded inside of the license key). As a rule of thumb, you should not trust any data that is user-supplied unless its source can be cryptographically verified to be from a trusted source.

Ditto for account IDs and URLs, since that would allow them to easily redirect your integration to a different account/host.

I recommend hard-coding your public key, account ID, and URLs, into your application's code. This is what we do at Keygen to license Keygen EE using license files. Outside of cracking your application, this can't be bypassed.

1 reply

nschloe Aug 8, 2023
Author

Thanks!

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Keygen

Bundle more data with the license key on the user side? #91

{{title}}

Replies: 1 comment 1 reply

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

Select a reply

Keygen

Bundle more data with the license key on the user side? #91

nschloe Aug 8, 2023

Replies: 1 comment · 1 reply

ezekg Aug 8, 2023 Maintainer

nschloe Aug 8, 2023 Author

nschloe
Aug 8, 2023

Replies: 1 comment 1 reply

ezekg
Aug 8, 2023
Maintainer

nschloe Aug 8, 2023
Author