Hello,
I’ve just studied juce tutorial: tutorial_online_unlock_status
And there is shown how to set online authorisation.
But it looks like user need to be online every time always app is opened. At least after that tutorial the testapp works like that.
But as I found many plugins on the market can be authorised without internet connection. I wonder if there is any solution for such authorisation in JUCE framework.
The tutorial on product unlocking is a bit incomplete as it doesn’t mention the offline part, although OnlineUnlockStatus supports it, in a sense that an interface is designed to accommodate offline activation feature while leaving its implementation to the user. The big picture is that the server returns a signature of the user’s device ID, and the client side stores this signature. On the following startups, the client verifies this signature using the public key and check if device ID matches.
Hey,
Did you ever resolve this and would like to share your code? I’m also looking in to unlocking with a serial and then storing it on a local file so the user doesn’t have to be online anymore.
Yes I solved it in my way. I can’t share the code. At first it is my sweet secret 
But it is also a lot of code, I think too much to share it on the forum. But I can try to explain my solution.
I give in my plugins option to authorise my plugin when user is online. And that works the same as shown in mentioned tutorial
And I also give give option to authorise plugin when user is offline. But actually user still need to have access to internet, but smartphone is enough. And the procedure is:
) algorithm I make some ciphering to achieve 6 characters code.And that’s it. Of course in short words.
I am happy with that solution, and I my clients don’t complain.
The problem with that solution is that sometimes when user update his system, or buy new computer then in most cases there is new unique machine ID, so user need to authorise the plugin again.
Hey! Thank you so much for responding! I’m actually looking at a solution called keyzy which handles most of these functions, your answer helps me a lot in understanding.
Will report back when i have the code running!
+1 for keyzy!
Hey Gustav,
Do you have working code to unlock with keyzy?
Kr,
Wim
Yes, but nothing to share because it’s for commercial products. Anyway, it wasn’t hard to integrate and the support is great!
Ah damn, anything you could share would be highly appreciated, without keys off course 
Hi,
I agree that I feel the tutorial is a bit incomplete. It’s a good example, but not very adaptable. I am using a server backend provided by wordpress plugins. So the License-Key Manager plugin has a specific api, I send it a post request, and it sends back a json.
I now have to generate some sort of encrypte keyfile based off this response, and the machine ID, so it cant be replicated across computers.
My basic idea is that on startup, before anything, it checks if the keyfile/license file exists. If it does, try to decrypt with the private key (?), and if thats successful, the machine ID should be contained which can be checked for double security.
(Could use the machine ID as the key?)
I am really not the most savvy when it comes to cryptography, so I’d appreciate any thoughts.
Cheers
So the common pattern to use here is that you’d have your Wordpress API return a JSON blob that is either encrypted using your private key, or signed using your private key. That way, storing this JSON on the device would be enough validation that it is indeed a valid activation, and by shipping your public key with the plugin, you can either decrypt or verify the signature in the JSON.
Never ever ship your private key with plugins!! That would allow anyone to generate valid activations for your products.
And then, indeed, on startup you can check the license (which can simply be the JSON you got from the API in the first place), and that JSON should contain the machine ID, and also still be valid according to the public key you shipped. This is a pattern that’s been working very well for us, and we also use this for offline activations by simply shipping blobs in files to be copied to the destination machine by hand.
Very interesting, thanks for your response. Yeah I think I was overcomplicating it for myself.
I just need to clarify a couple pronouns because its a bit ambiguous.
When you say signed with “your” private key, do you mean from the server, or the client?
So the whole json blob is encrypted?
I can’t find any option to encrypt the response from the API.
Trying to wrap my head around this properly.
Cheers,
Dario
When I say “your” private key, I mean a server side private key. Because if you’d ship a private key with your plugins, it would be trivial for anyone to extract that and generate new activations for any machine for your products, effectively enabling key generators to exist.
The core idea behind software licensing is to protect the authority that is allowed to verify machine activations of your products. So your plugins needs to be able to verify that a certain key file or license file or whatever you want to call it, indeed originated from your server/authority.
I’m not sure what sort of Wordpress plugin you have to deal with this, maybe that API has other ideas on how to do this securely, but I would say that any license files being distributed from APIs needs either an encryption or a signature using a private key. Anything else opens up for attacks on the DRM you are implementing, where actors could host alternative APIs to unlock your software. This is all avoided by shipping a public key together with your plugin, which can be used to verify the source of the license file.
Of course, there are other threads on this forum where people have found that simple approaches that are not bulletproof are also viable, in which case, simpler checks like this API seems to suggest might be enough.
I might be missing something,
I looked up a couple other wordpress plugins that do similar things and can’t see any mention of encryption, only that the keys are stored encrypted on the database.
Am I wrong in saying that this is what the “api key” is?
I need to include the api key in the post request, so i wonder if this is actually decrypting the incoming message, or just acting as authentication.
Can you point me to any other articles or threads on the subject?
I would appreciate massively
Cheers
edit:
in my case, the incoming json is in the form
{
"result" : "success",
"code" : "300",
"message": "License key activated"
}
Not sure if this is also what you mean “json blob”
Ah, so in this case, what you get from the API is not sufficient to store the status offline. There is not real way to 100% securely generate any token client-side that proves a valid activation. If you want a highly secure solution, I’d recommend looking for other solutions, or adding more server-side endpoints to allow this.
If you are fine with not having a 100% secure licensing solution, anything you store locally to “cache” the server response would be enough. Public/private key encryption is just security theater at this point, and wouldn’t deter actual threats.
Feel free to send me a DM if you want more insights into alternatives
