linotp.tokens.remotetoken module

This file file contains the Remote token class

class linotp.tokens.remotetoken.RemoteTokenClass(aToken)

Bases: TokenClass

The Remote token forwards an authentication request to another LinOTP server. The request can be forwarded to a user on the other server or to a serial number on the other server. The PIN can be checked on the local LinOTP server or on the remote server.

Using the Remote token you can assign one physical token to many different users.

authenticate(passw, user, options=None)

do the authentication on base of password / otp and user and options, the request parameters.

Here we contact the other LinOTP server to validate the OtpVal.

Parameters
  • passw – the password / otp

  • user – the requesting user

  • options – the additional request parameters

Returns

tupple of (success, otp_count - 0 or -1, reply)

checkPin(pin, options=None)

check the pin - either remote or localy - in case of remote, we return true, as the

the splitPinPass will put the passw then in the otpVal

checkResponse4Challenge(user, passw, options=None, challenges=None)

This method verifies if the given passw matches any existing challenge of the token.

It then returns the new otp_counter of the token and the list of the matching challenges.

In case of success the otp_counter needs to be >= 0. The matching_challenges is passed to the method challenge_janitor() to clean up challenges.

Parameters
  • user (User object) – the requesting user

  • passw (string) – the password (pin+otp)

  • options (dict) – additional arguments from the request, which could be token specific

  • challenges (list) – A sorted list of valid challenges for this token.

Returns

tuple of (otpcounter and the list of matching challenges)

check_otp_exist(otp, window=None, user=None, autoassign=False)

checks if the given OTP value is/are values of this very token. This is used to autoassign and to determine the serial number of a token.

check_pin_local()

lookup if pin should be checked locally or on remote host

Returns

bool

createChallenge(transactionid, options=None)

for every remote challenge we have to create a local challenge e.g. to support multiple challenges

remark: we might call the super of this method first

do_request(passw, transactionid=None, user=None, autoassign=False)

run the http request against the remote host

Parameters
  • passw – the password which should be checked on the remote host

  • transactionid – provided, if this is a challenge response

  • user – the requesting user - used if no remote serial or remote user is provided

Returns

Tuple of (success, otp_count= -1 or 0, reply=remote response)

classmethod getClassInfo(key=None, ret='all')

getClassInfo - returns a subtree of the token definition

Parameters
  • key (string) – subsection identifier

  • ret (user defined) – default return value, if nothing is found

Returns

subsection if key exists or user defined

Return type

s.o.

classmethod getClassPrefix()

return the token type prefix

classmethod getClassType()

return the class type identifier

is_challenge_request(passw, user, options=None)

This method checks, if this is a request, that triggers a challenge. It depends on the way, the pin is checked - either locally or remote

Parameters
  • passw (string) – password, which might be pin or pin+otp

  • user (User object) – The user from the authentication request

  • options (dict) – dictionary of additional request parameters

Returns

true or false

splitPinPass(passw)

Split the PIN and the OTP value. Only if it is locally checked and not remotely.

Parameters

passw – the password with pin and otp

Returns

tupple of the (success, pin and otpvalue)

update(param)

second phase of the init process - updates parameters

Parameters

param – the request parameters

Returns

  • nothing -