def check(): """ check the authentication for a user or a serial number. Either a ``serial`` or a ``user`` is required to authenticate. The PIN and OTP value is sent in the parameter ``pass``. In case of successful authentication it returns ``result->value: true``. In case of a challenge response authentication a parameter ``exception=1`` can be passed. This would result in a HTTP 500 Server Error response if an error occurred during sending of SMS or Email. In case ``/validate/radiuscheck`` is requested, the responses are modified as follows: A successful authentication returns an empty HTTP 204 response. An unsuccessful authentication returns an empty HTTP 400 response. Error responses are the same responses as for the ``/validate/check`` endpoint. :param serial: The serial number of the token, that tries to authenticate. :param user: The loginname/username of the user, who tries to authenticate. :param realm: The realm of the user, who tries to authenticate. If the realm is omitted, the user is looked up in the default realm. :param pass: The password, that consists of the OTP PIN and the OTP value. :param otponly: If set to 1, only the OTP value is verified. This is used in the management UI. Only used with the parameter serial. :param transaction_id: The transaction ID for a response to a challenge request :param state: The state ID for a response to a challenge request :return: a json result with a boolean "result": true **Example Validation Request**: .. sourcecode:: http POST /validate/check HTTP/1.1 Host: example.com Accept: application/json user=user realm=realm1 pass=s3cret123456 **Example response** for a successful authentication: .. sourcecode:: http HTTP/1.1 200 OK Content-Type: application/json { "detail": { "message": "matching 1 tokens", "serial": "PISP0000AB00", "type": "spass" }, "id": 1, "jsonrpc": "2.0", "result": { "status": true, "value": true }, "version": "privacyIDEA unknown" } **Example response** for this first part of a challenge response authentication: .. sourcecode:: http HTTP/1.1 200 OK Content-Type: application/json { "detail": { "serial": "PIEM0000AB00", "type": "email", "transaction_id": "12345678901234567890", "multi_challenge: [ {"serial": "PIEM0000AB00", "transaction_id": "12345678901234567890", "message": "Please enter otp from your email"}, {"serial": "PISM12345678", "transaction_id": "12345678901234567890", "message": "Please enter otp from your SMS"} ] }, "id": 1, "jsonrpc": "2.0", "result": { "status": true, "value": false }, "version": "privacyIDEA unknown" } In this example two challenges are triggered, one with an email and one with an SMS. The application and thus the user has to decide, which one to use. They can use either. .. note:: All challenge response tokens have the same transaction_id in this case. """ #user = get_user_from_param(request.all_data) user = request.User serial = getParam(request.all_data, "serial") password = getParam(request.all_data, "pass", required) otp_only = getParam(request.all_data, "otponly") options = {"g": g, "clientip": g.client_ip} # Add all params to the options for key, value in request.all_data.items(): if value and key not in ["g", "clientip"]: options[key] = value g.audit_object.log({"user": user.login, "resolver": user.resolver, "realm": user.realm}) if serial: if not otp_only: result, details = check_serial_pass(serial, password, options=options) else: result, details = check_otp(serial, password) else: result, details = check_user_pass(user, password, options=options) g.audit_object.log({"info": details.get("message"), "success": result, "serial": serial or details.get("serial"), "tokentype": details.get("type")}) return send_result(result, details=details)
def check(): """ check the authentication for a user or a serial number. Either a ``serial`` or a ``user`` is required to authenticate. The PIN and OTP value is sent in the parameter ``pass``. In case of successful authentication it returns ``result->value: true``. :param serial: The serial number of the token, that tries to authenticate. :param user: The loginname/username of the user, who tries to authenticate. :param realm: The realm of the user, who tries to authenticate. If the realm is omitted, the user is looked up in the default realm. :param pass: The password, that consists of the OTP PIN and the OTP value. :param otponly: If set to 1, only the OTP value is verified. This is used in the management UI. Only used with the parameter serial. :param transaction_id: The transaction ID for a response to a challenge request :param state: The state ID for a response to a challenge request :return: a json result with a boolean "result": true **Example Validation Request**: .. sourcecode:: http POST /validate/check HTTP/1.1 Host: example.com Accept: application/json user=user realm=realm1 pass=s3cret123456 **Example response** for a successful authentication: .. sourcecode:: http HTTP/1.1 200 OK Content-Type: application/json { "detail": { "message": "matching 1 tokens", "serial": "PISP0000AB00", "type": "spass" }, "id": 1, "jsonrpc": "2.0", "result": { "status": true, "value": true }, "version": "privacyIDEA unknown" } **Example response** for this first part of a challenge response authentication: .. sourcecode:: http HTTP/1.1 200 OK Content-Type: application/json { "detail": { "serial": "PIEM0000AB00", "type": "email", "transaction_id": "12345678901234567890", "multi_challenge: [ {"serial": "PIEM0000AB00", "transaction_id": "12345678901234567890", "message": "Please enter otp from your email"}, {"serial": "PISM12345678", "transaction_id": "12345678901234567890", "message": "Please enter otp from your SMS"} ] }, "id": 1, "jsonrpc": "2.0", "result": { "status": true, "value": false }, "version": "privacyIDEA unknown" } In this example two challenges are triggered, one with an email and one with an SMS. The application and thus the user has to decide, which one to use. They can use either. .. note:: All challenge response tokens have the same transaction_id in this case. """ #user = get_user_from_param(request.all_data) user = request.User serial = getParam(request.all_data, "serial") password = getParam(request.all_data, "pass", required) otp_only = getParam(request.all_data, "otponly") options = {"g": g, "clientip": g.client_ip} # Add all params to the options for key, value in request.all_data.items(): if value and key not in ["g", "clientip"]: options[key] = value g.audit_object.log({ "user": user.login, "resolver": user.resolver, "realm": user.realm }) if serial: if not otp_only: result, details = check_serial_pass(serial, password, options=options) else: result, details = check_otp(serial, password) else: result, details = check_user_pass(user, password, options=options) g.audit_object.log({ "info": details.get("message"), "success": result, "serial": serial or details.get("serial"), "tokentype": details.get("type") }) return send_result(result, details=details)
def check(): """ check the authentication for a user or a serial number. Either a ``serial`` or a ``user`` is required to authenticate. The PIN and OTP value is sent in the parameter ``pass``. In case of successful authentication it returns ``result->value: true``. In case of a challenge response authentication a parameter ``exception=1`` can be passed. This would result in a HTTP 500 Server Error response if an error occurred during sending of SMS or Email. In case ``/validate/radiuscheck`` is requested, the responses are modified as follows: A successful authentication returns an empty ``HTTP 204`` response. An unsuccessful authentication returns an empty ``HTTP 400`` response. Error responses are the same responses as for the ``/validate/check`` endpoint. :param serial: The serial number of the token, that tries to authenticate. :param user: The loginname/username of the user, who tries to authenticate. :param realm: The realm of the user, who tries to authenticate. If the realm is omitted, the user is looked up in the default realm. :param type: The tokentype of the tokens, that are taken into account during authentication. Requires the *authz* policy :ref:`application_tokentype_policy`. It is ignored when a distinct serial is given. :param pass: The password, that consists of the OTP PIN and the OTP value. :param otponly: If set to 1, only the OTP value is verified. This is used in the management UI. Only used with the parameter serial. :param transaction_id: The transaction ID for a response to a challenge request :param state: The state ID for a response to a challenge request :return: a json result with a boolean "result": true **Example Validation Request**: .. sourcecode:: http POST /validate/check HTTP/1.1 Host: example.com Accept: application/json user=user realm=realm1 pass=s3cret123456 **Example response** for a successful authentication: .. sourcecode:: http HTTP/1.1 200 OK Content-Type: application/json { "detail": { "message": "matching 1 tokens", "serial": "PISP0000AB00", "type": "spass" }, "id": 1, "jsonrpc": "2.0", "result": { "status": true, "value": true }, "version": "privacyIDEA unknown" } **Example response** for this first part of a challenge response authentication: .. sourcecode:: http HTTP/1.1 200 OK Content-Type: application/json { "detail": { "serial": "PIEM0000AB00", "type": "email", "transaction_id": "12345678901234567890", "multi_challenge: [ {"serial": "PIEM0000AB00", "transaction_id": "12345678901234567890", "message": "Please enter otp from your email", "client_mode": "interactive"}, {"serial": "PISM12345678", "transaction_id": "12345678901234567890", "message": "Please enter otp from your SMS", "client_mode": "interactive"} ] }, "id": 2, "jsonrpc": "2.0", "result": { "status": true, "value": false }, "version": "privacyIDEA unknown" } In this example two challenges are triggered, one with an email and one with an SMS. The application and thus the user has to decide, which one to use. They can use either. The challenges also contain the information of the "client_mode". This tells the plugin, whether it should display an input field to ask for the OTP value or e.g. to poll for an answered authentication. Read more at :ref:`client_modes`. .. note:: All challenge response tokens have the same ``transaction_id`` in this case. **Example response** for a successful authentication with ``/samlcheck``: .. sourcecode:: http HTTP/1.1 200 OK Content-Type: application/json { "detail": { "message": "matching 1 tokens", "serial": "PISP0000AB00", "type": "spass" }, "id": 1, "jsonrpc": "2.0", "result": { "status": true, "value": {"attributes": { "username": "******", "realm": "themis", "mobile": null, "phone": null, "myOwn": "/data/file/home/koelbel", "resolver": "themis", "surname": "Kölbel", "givenname": "Cornelius", "email": null}, "auth": true} }, "version": "privacyIDEA unknown" } The response in ``value->attributes`` can contain additional attributes (like "myOwn") which you can define in the LDAP resolver in the attribute mapping. """ user = request.User serial = getParam(request.all_data, "serial") password = getParam(request.all_data, "pass", required) otp_only = getParam(request.all_data, "otponly") token_type = getParam(request.all_data, "type") options = {"g": g, "clientip": g.client_ip, "user": user} # Add all params to the options for key, value in request.all_data.items(): if value and key not in ["g", "clientip", "user"]: options[key] = value g.audit_object.log({ "user": user.login, "resolver": user.resolver, "realm": user.realm }) if serial: if user: # check if the given token belongs to the user if not get_tokens(user=user, serial=serial, count=True): raise ParameterError( 'Given serial does not belong to given user!') if not otp_only: success, details = check_serial_pass(serial, password, options=options) else: success, details = check_otp(serial, password) result = success else: options["token_type"] = token_type success, details = check_user_pass(user, password, options=options) result = success if request.path.endswith("samlcheck"): ui = user.info result = {"auth": success, "attributes": {}} if return_saml_attributes(): if success or return_saml_attributes_on_fail(): # privacyIDEA's own attribute map result["attributes"] = { "username": ui.get("username"), "realm": user.realm, "resolver": user.resolver, "email": ui.get("email"), "surname": ui.get("surname"), "givenname": ui.get("givenname"), "mobile": ui.get("mobile"), "phone": ui.get("phone") } # additional attributes for k, v in ui.items(): result["attributes"][k] = v g.audit_object.log({ "info": log_used_user(user, details.get("message")), "success": success, "serial": serial or details.get("serial"), "token_type": details.get("type") }) return send_result(result, rid=2, details=details)
def check(): """ check the authentication for a user or a serial number. Either a ``serial`` or a ``user`` is required to authenticate. The PIN and OTP value is sent in the parameter ``pass``. In case of successful authentication it returns ``result->value: true``. In case of a challenge response authentication a parameter ``exception=1`` can be passed. This would result in a HTTP 500 Server Error response if an error occurred during sending of SMS or Email. In case ``/validate/radiuscheck`` is requested, the responses are modified as follows: A successful authentication returns an empty HTTP 204 response. An unsuccessful authentication returns an empty HTTP 400 response. Error responses are the same responses as for the ``/validate/check`` endpoint. :param serial: The serial number of the token, that tries to authenticate. :param user: The loginname/username of the user, who tries to authenticate. :param realm: The realm of the user, who tries to authenticate. If the realm is omitted, the user is looked up in the default realm. :param type: The tokentype of the tokens, that are taken into account during authentication. Requires authz policy application_tokentype. Is ignored when a distinct serial is given. :param pass: The password, that consists of the OTP PIN and the OTP value. :param otponly: If set to 1, only the OTP value is verified. This is used in the management UI. Only used with the parameter serial. :param transaction_id: The transaction ID for a response to a challenge request :param state: The state ID for a response to a challenge request :return: a json result with a boolean "result": true **Example Validation Request**: .. sourcecode:: http POST /validate/check HTTP/1.1 Host: example.com Accept: application/json user=user realm=realm1 pass=s3cret123456 **Example response** for a successful authentication: .. sourcecode:: http HTTP/1.1 200 OK Content-Type: application/json { "detail": { "message": "matching 1 tokens", "serial": "PISP0000AB00", "type": "spass" }, "id": 1, "jsonrpc": "2.0", "result": { "status": true, "value": true }, "version": "privacyIDEA unknown" } **Example response** for this first part of a challenge response authentication: .. sourcecode:: http HTTP/1.1 200 OK Content-Type: application/json { "detail": { "serial": "PIEM0000AB00", "type": "email", "transaction_id": "12345678901234567890", "multi_challenge: [ {"serial": "PIEM0000AB00", "transaction_id": "12345678901234567890", "message": "Please enter otp from your email"}, {"serial": "PISM12345678", "transaction_id": "12345678901234567890", "message": "Please enter otp from your SMS"} ] }, "id": 1, "jsonrpc": "2.0", "result": { "status": true, "value": false }, "version": "privacyIDEA unknown" } In this example two challenges are triggered, one with an email and one with an SMS. The application and thus the user has to decide, which one to use. They can use either. .. note:: All challenge response tokens have the same transaction_id in this case. """ user = request.User serial = getParam(request.all_data, "serial") password = getParam(request.all_data, "pass", required) otp_only = getParam(request.all_data, "otponly") token_type = getParam(request.all_data, "type") options = {"g": g, "clientip": g.client_ip} # Add all params to the options for key, value in request.all_data.items(): if value and key not in ["g", "clientip"]: options[key] = value g.audit_object.log({"user": user.login, "resolver": user.resolver, "realm": user.realm}) if serial: if user: # check if the given token belongs to the user if not get_tokens(user=user, serial=serial, count=True): raise ParameterError('Given serial does not belong to given user!') if not otp_only: result, details = check_serial_pass(serial, password, options=options) else: result, details = check_otp(serial, password) else: options["token_type"] = token_type result, details = check_user_pass(user, password, options=options) g.audit_object.log({"info": log_used_user(user, details.get("message")), "success": result, "serial": serial or details.get("serial"), "token_type": details.get("type")}) return send_result(result, details=details)
def check(): """ check the authentication for a user or a serial number. Either a ``serial`` or a ``user`` is required to authenticate. The PIN and OTP value is sent in the parameter ``pass``. :param serial: The serial number of the token, that tries to authenticate. :param user: The loginname/username of the user, who tries to authenticate. :param realm: The realm of the user, who tries to authenticate. If the realm is omitted, the user is looked up in the default realm. :param pass: The password, that consists of the OTP PIN and the OTP value. :param otponly: If set to 1, only the OTP value is verified. This is used in the management UI. Only used with the parameter serial. :param transaction_id: The transaction ID for a response to a challenge request :param state: The state ID for a response to a challenge request :return: a json result with a boolean "result": true **Example response** for a successful authentication: .. sourcecode:: http HTTP/1.1 200 OK Content-Type: application/json { "detail": { "message": "matching 1 tokens", "serial": "PISP0000AB00", "type": "spass" }, "id": 1, "jsonrpc": "2.0", "result": { "status": true, "value": true }, "version": "privacyIDEA unknown" } """ user = get_user_from_param(request.all_data) serial = getParam(request.all_data, "serial") password = getParam(request.all_data, "pass", required) otp_only = getParam(request.all_data, "otponly") options = {"g": g, "clientip": g.client_ip} # Add all params to the options for key, value in request.all_data.items(): if value and key not in ["g", "clientip"]: options[key] = value g.audit_object.log({"user": user.login, "realm": user.realm}) if serial: if not otp_only: result, details = check_serial_pass(serial, password, options=options) else: result, details = check_otp(serial, password) else: result, details = check_user_pass(user, password, options=options) g.audit_object.log({"info": details.get("message"), "success": result, "serial": serial or details.get("serial"), "tokentype": details.get("type")}) return send_result(result, details=details)
def check(): """ check the authentication for a user or a serial number. Either a ``serial`` or a ``user`` is required to authenticate. The PIN and OTP value is sent in the parameter ``pass``. :param serial: The serial number of the token, that tries to authenticate. :param user: The loginname/username of the user, who tries to authenticate. :param realm: The realm of the user, who tries to authenticate. If the realm is omitted, the user is looked up in the default realm. :param pass: The password, that consists of the OTP PIN and the OTP value. :param otponly: If set to 1, only the OTP value is verified. This is used in the management UI. Only used with the parameter serial. :param transaction_id: The transaction ID for a response to a challenge request :param state: The state ID for a response to a challenge request :return: a json result with a boolean "result": true **Example response** for a successful authentication: .. sourcecode:: http HTTP/1.1 200 OK Content-Type: application/json { "detail": { "message": "matching 1 tokens", "serial": "PISP0000AB00", "type": "spass" }, "id": 1, "jsonrpc": "2.0", "result": { "status": true, "value": true }, "version": "privacyIDEA unknown" } """ user = get_user_from_param(request.all_data) serial = getParam(request.all_data, "serial") password = getParam(request.all_data, "pass", required) otp_only = getParam(request.all_data, "otponly") options = {"g": g, "clientip": g.client_ip} # Add all params to the options for key, value in request.all_data.items(): if value and key not in ["g", "clientip"]: options[key] = value g.audit_object.log({"user": user.login, "realm": user.realm}) if serial: if not otp_only: result, details = check_serial_pass(serial, password, options=options) else: result, details = check_otp(serial, password) else: result, details = check_user_pass(user, password, options=options) g.audit_object.log({ "info": details.get("message"), "success": result, "serial": serial or details.get("serial"), "tokentype": details.get("type") }) return send_result(result, details=details)