linotp.controllers.validate module

validate controller - to check the authentication request

class linotp.controllers.validate.ValidateController(name, install_name='', **kwargs)

Bases: BaseController

The linotp.controllers are the implementation of the web-API to talk to the LinOTP server. The ValidateController is used to validate the username with its given OTP value. An Authentication module like pam_linotp2 or rlm_linotp2 uses this ValidateController. The functions of the ValidateController are invoked like this

https://server/validate/<functionname>

The functions are described below in more detail.

accept_transaction()

GET, POST /validate/accept_transaction

Deprecated since version 3.2: Requests using HTTP GET method (because it is modifying data). This endpoint will only be available via HTTP POST method in the future.

confirms a transaction. - needs the mandatory url query parameters:

Parameters
  • transactionid – unique id for the transaction

  • signature – signature for the confirmation

Returns

a json result with a boolean status and request result

Raises

Exception – if an error occurs status in the response is set to false

check()

GET, POST /validate/check

Deprecated since version 3.2: Requests using HTTP GET method (because it is modifying data). This endpoint will only be available via HTTP POST method in the future.

This function is used to validate the username and the otp value/password.

Parameters
  • user – The username or loginname

  • pass – The password that consist of a possible fixed password component and the OTP value

  • realm – (optional) The realm to be used to match the user to a useridresolver

  • challenge – (optional) This param indicates, that this request is a challenge request.

  • data – (optional) Data to use to generate a challenge

  • state – (optional) A state id of an existing challenge to respond to

  • transactionid – (optional): A transaction id of an existing challenge to respond to

  • serial – (optional) Serial of a token to use instead of the matching tokens found for the given user and pass

Returns

JSON response:

{
    "version": "LinOTP 2.4",
    "jsonrpc": "2.0",
    "result": {
        "status": true,
        "value": false
    },
    "id": 0
}

If status is true the request was handled successfully.

If value is true the user was authenticated successfully.

Raises

Exception – if an error occurs the status in the json response is set to false

check_s()

GET, POST /validate/check_s

Deprecated since version 3.2: Requests using HTTP GET method (because it is modifying data). This endpoint will only be available via HTTP POST method in the future.

This function is used to validate the serial and the otp value/password. If the otppin policy is set, the endpoint /validate/check_s does not work.

Parameters
  • serial – the serial number of the token

  • pass – the password that consists of a possible fixes password component and the OTP value

Returns

a json result with a boolean status and request result

Raises

Exception – if an error occurs status in the response is set to false

check_status()

GET, POST /validate/check_status

Deprecated since version 3.2: Requests using HTTP GET method (because it is modifying data). This endpoint will only be available via HTTP POST method in the future.

check the status of a transaction - for polling support

Parameters
  • state

  • transactionid

  • serial

  • pass

Returns

a json result with a boolean status and request result

Raises

Exception – if an error occurs an exception is serialized and returned

check_t()

GET, POST /validate/check_t

Deprecated since version 3.2: Requests using HTTP GET method (because it is modifying data). This endpoint will only be available via HTTP POST method in the future.

check a session by transaction / state

Parameters
  • pass

  • serial (transactionid or) –

Returns

a json result with a boolean status and request result

Raises

Exception – if an error occurs status in the response is set to false

check_yubikey()

GET, POST /validate/check_yubikey

Deprecated since version 3.2: Requests using HTTP GET method (because it is modifying data). This endpoint will only be available via HTTP POST method in the future.

This function is used to validate the output of a yubikey

Parameters

pass – The password that consist of the static yubikey prefix and the otp

Returns

JSON response:

{
    "version": "LinOTP 2.4",
    "jsonrpc": "2.0",
    "result": {
        "status": true,
        "value": false
    },
    "detail" : {
        "username": username,
        "realm": realm
    },
    "id": 0
}

Raises

Exception – if an error occurs status in the response is set to false

fail()

return a failed response

Returns

a json result with a status True and request result False

Raises

Exception – if an error occurs status in the response is set to false

jwt_exempt = True
ok()

return a success response

Returns

a json result with a status True and request result True

Raises

Exception – if an error occurs status in the response is set to false

pair()

GET, POST /validate/pair

Deprecated since version 3.2: Requests using HTTP GET method (because it is modifying data). This endpoint will only be available via HTTP POST method in the future.

for the enrollment of qr and push token

Parameters

pairing_response – the result from the token pairing request

Returns

a json result with a boolean status and request result

Raises

Exception – if an error occurs status in the response is set to false

reject_transaction()

GET, POST /validate/reject_transaction

Deprecated since version 3.2: Requests using HTTP GET method (because it is modifying data). This endpoint will only be available via HTTP POST method in the future.

rejects a transaction. - needs the mandatory url query parameters:

Parameters
  • transactionid – unique id for the transaction

  • signature – signature for the rejection

Returns

a json result with a boolean status and request result

Raises

Exception – if an error occurs status in the response is set to false

samlcheck()

GET, POST /validate/samlcheck

Deprecated since version 3.2: Requests using HTTP GET method (because it is modifying data). This endpoint will only be available via HTTP POST method in the future.

This function is used to validate the username and the otp value/password in a SAML environment. If linotp.allowSamlAttributes = True then the attributes of the authenticated users are also contained in the response.

Parameters
  • user – username / loginname

  • pass – the password that consists of a possible fixes password component and the OTP value

  • realm – (optional) realm to match the user to a useridresolver

Raises

Exception – if an error occurs status in the response is set to false

simplecheck()

GET, POST /validate/simplecheck

Deprecated since version 3.2: Requests using HTTP GET method (because it is modifying data). This endpoint will only be available via HTTP POST method in the future.

This function is used to validate the username and the otp value/password.

Parameters
  • user – username / loginname

  • pass – the password that consists of a possible fixes password component and the OTP value

  • realm – additional realm to match the user to a useridresolver

Returns

Simple ascii response:

:-)

in case of success

:-(

in case of failed authentication

:-/

in case of any error

smspin()

GET, POST /validate/smspin

Deprecated since version 3.2: Requests using HTTP GET method (because it is modifying data). This endpoint will only be available via HTTP POST method in the future.

This function is used in conjunction with an SMS token: the user authenticates with user and pin (pass) and will receive on his mobile an OTP as message

Parameters
  • user – username / loginname

  • pass – the password that consists of a possible fixed password

  • realm – additional realm to match the user to a useridresolver

Returns

a json result with a boolean status and request result

Raises

Exception – if an error occurs status in the response is set to false