Can we expose App-Signature-Key through a JavaScript API?

[GabrielSieben]

Hello,

For my custom LMS integration; it would be incredibly useful if there was an API exposing App-Signature-Key; similar to SafeExamBrowser.security.appSignatureKey or similar.

The reason for this is to skip the login screen when a user clicks "Start exam" in a remote BYOD scenario. It's important for me to verify the integrity of the client due to the existence of several public patch tools for current SEB versions. My current workaround is to create a generic SEB configuration profile which is used for every quiz in the app (with BEKs recorded for each platform), and then using the IP address of the incoming connection to figure out if the user is the same.

This has obvious weaknesses - if two users click "Start exam" on the same network within a minute of each other, they might be logged in as each other. If there is a VPN extension in the browser (or Apple's built-in iCloud Private Relay); that needs to be turned off as it could interfere. It would be much better if I could provide a server-generated config, but I would have no idea what the BEK would be and couldn't prevent patched versions. Having SafeExamBrowser.security.appSignatureKey would allow verifying the client while still server-generating the config, fixing all of my problems.

Thoughts? (Or, if there's a better way to handle this, what would it be? Alternatively, similar to how we have BEK, maybe we could have the key hashed with the current URL?)
Gabriel

[danschlet]

The App Signature Key requires an exchange of nonces, which is easy when using SEB Server and its REST endpoints. It seems to me that an implementation using the SEB JS API would be cumbersome.

But we are working on a new feature called the Enhanced Config Key(ECK), which will allow to verify client integrity without the complexity of the ASK and a full SEB Server integration.