Gettoken Policies

1.6.7. Gettoken Policies#

LinOTP allows you to retrieve current or future OTP values of tokens for certain scenarios. This can be used for Tagespasswort-Tokens, if the application does not support RADIUS or any other authentication protocol or for the scenario where offline OTP authentication is required. To define such a gettoken policy do the following:

  • Policy name: the unique name of the policy

  • Scope: You need to set this to gettoken.

  • Action: can be something of max_count_dpw=<int>, max_count_hotp=<int>, max_count_totp=<int>

  • User: The administrative account that is allowed to retrieve OTP values.

  • Realm: The name of the token realm the policy is valid for. This can be a list or a ‘*’.


In contrast to other policies retrieving of OTP values will not be allowed unless a policy is defined.

If you want to run the gettoken/getotp function from the Management WebUI, you also need to set the admin policy (action getotp) for the specific realm. (see section Admin Policies)

As retrieving OTP values must be seen as a kind of security breach, you need to do more configuration to activate the gettoken functionality. For configuring this see section Retrieving OTP values.

OTP values may be retrieved using the API calls /gettoken/getotp and /gettoken/getmultiotp. The policy will define which kind of tokens would be allowed to have their OTP values retrieved by either defining max_count_dpw for Tagespasswort-Tokens, max_count_hotp for HMAC tokens or max_count_totp for TOTP tokens. These action parameters require an integer parameter, which specifies how many OTP values will be returned at max. So if 100 OTP values would be requested but max_count_hotp=50 only 50 values will be returned. LinOTP will only return OTP values if the tokens realm is contained in the policy.