This section explains how to generate a Login Key for Single Sign-on when using Glance Cobrowse. Login Key features and format, usage examples, and security considerations are also discussed.
What is the Glance Login Key?
The Glance Login Key is a time-limited token issued by a partner or customer, used to authenticate a user to various Glance services.
The Login Key is passed on https: or glance: URLs in one of the following ways:
- Appended to the username—for example, fred.glance.net (a Glance Address) after a tilde:
- Passed along with Partner ID and Partner User ID parameters, typically:
A Glance user is uniquely identified by either a username or a Partner ID/Partner User ID pair.
- Uses current best practice SHA-2 family of hashes.
- Expiration period selectable by the customer.
- Includes algorithm versioning to allow future changes with backward compatibility.
The Login Key format is identified by a leading dollar sign. (This distinguishes it from the previous format login key.)
|[ver]||Must be 1 for this version of the key algorithm.|
|[expirationtime]||The Unix (POSIX) epoch time. The number of seconds decimal since 00:00:00 UTC Jan 1 1970.
There is also a maximum time in the future for a valid expiration time (currently set to one day) to protect against possible accidentally generated keys with extended expiration times.
HMAC_SHA256takes (secret key, message) arguments and generates a hash-based message authentication code.
Note: SHA-256 is the 256 bit variant of SHA-2.The second (message) argument is the string concatenation of the four valuesThe HMAC must then be encoded as Base64URL (RFC 4648) without any trailing padding (“=”) characters.
The resulting Login Key is 57 characters long.
Visit Glance Login Key Check to view an HTML page with a form to generate and test login keys.
Typically, key generation will be done by server-side code to protect the API Key.
.NET C# Sample
public static string GenerateLoginKey(int partnerId, string partnerUserId,
int expirationSeconds, string apikey)
const int ver = 1;
DateTime expires = DateTime.Now.AddSeconds(expirationSeconds);
DateTime epoch = new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc);
int expiration = Convert.ToInt32((expires.ToUniversalTime() - epoch).TotalSeconds);
string message = partnerId.ToString() + partnerUserId.ToString() + ver.ToString()
var encoding = new System.Text.UTF8Encoding();
var hmac = new System.Security.Cryptography.HMACSHA256(encoding.GetBytes(apikey));
string hash = Convert.ToBase64String(hmac.ComputeHash(encoding.GetBytes(message)));
hash = hash.Substring(0, 43).Replace('+', '-').Replace('/', '_'); // base64url no padding
string loginkey = '$' + ver.ToString() + '$' + expiration.ToString() + '$' + hash;
A Login Key can be used instead of supplying a Glance username and password when accessing various Glance services.
The Login Key can be used to start a screen-sharing session in the following ways:
- Passing it to a web page that checks for an installed client optionally installing it, and signals it to start a session:
- Passing it on a glance:// URL to invoke the glance client:
It can also be used to allow an agent to join a cobrowsing session as detailed in the Cobrowse Getting Started section.