linotp.controllers.validate module

validate controller - to check the authentication request

class linotp.controllers.validate.ValidateController(name, install_name='', **kwargs)

Bases: BaseController

The linotp.controllers are the implementation of the web-API to talk to the LinOTP server. The ValidateController is used to validate the username with its given OTP value. An Authentication module like pam_linotp2 or rlm_linotp2 uses this ValidateController. The functions of the ValidateController are invoked like this

https://server/validate/<functionname>

The functions are described below in more detail.

accept_transaction()

GET, POST /validate/accept_transaction

Deprecated since version 3.2: Requests using HTTP GET method (because it is modifying data). This endpoint will only be available via HTTP POST method in the future.

confirms a transaction. - needs the mandatory url query parameters:

Parameters:

  • transactionid – unique id for the transaction

  • signature – signature for the confirmation

Returns:

a json result with a boolean status and request result

Raises:

Exception – if an error occurs status in the response is set to false

after_request_funcs: t.Dict[ft.AppOrBlueprintKey, t.List[ft.AfterRequestCallable]]

A data structure of functions to call at the end of each request, in the format {scope: [functions]}. The scope key is the name of a blueprint the functions are active for, or None for all requests.

To register a function, use the after_request() decorator.

This data structure is internal. It should not be modified directly and its format may change at any time.

before_request_funcs: t.Dict[ft.AppOrBlueprintKey, t.List[ft.BeforeRequestCallable]]

A data structure of functions to call at the beginning of each request, in the format {scope: [functions]}. The scope key is the name of a blueprint the functions are active for, or None for all requests.

To register a function, use the before_request() decorator.

This data structure is internal. It should not be modified directly and its format may change at any time.

check()

GET, POST /validate/check

Deprecated since version 3.2: Requests using HTTP GET method (because it is modifying data). This endpoint will only be available via HTTP POST method in the future.

This function is used to validate the username and the otp value/password.

Parameters:

  • user – The username or loginname

  • pass – The password that consist of a possible fixed password component and the OTP value

  • realm – (optional) The realm to be used to match the user to a useridresolver

  • challenge – (optional) This param indicates, that this request is a challenge request.

  • data – (optional) Data to use to generate a challenge

  • state – (optional) A state id of an existing challenge to respond to

  • transactionid – (optional): A transaction id of an existing challenge to respond to

  • serial – (optional) Serial of a token to use instead of the matching tokens found for the given user and pass

Returns:

JSON response:

{
    "version": "LinOTP 2.4",
    "jsonrpc": "2.0",
    "result": {
        "status": true,
        "value": false
    },
    "id": 0
}

If status is true the request was handled successfully.

If value is true the user was authenticated successfully.

Raises:

Exception – if an error occurs the status in the json response is set to false

check_s()

GET, POST /validate/check_s

Deprecated since version 3.2: Requests using HTTP GET method (because it is modifying data). This endpoint will only be available via HTTP POST method in the future.

This function is used to validate the serial and the otp value/password. If the otppin policy is set, the endpoint /validate/check_s does not work.

Parameters:

  • serial – the serial number of the token

  • pass – the password that consists of a possible fixes password component and the OTP value

Returns:

a json result with a boolean status and request result

Raises:

Exception – if an error occurs status in the response is set to false

check_status()

GET, POST /validate/check_status

Deprecated since version 3.2: Requests using HTTP GET method (because it is modifying data). This endpoint will only be available via HTTP POST method in the future.

check the status of a transaction - for polling support

Parameters:

  • state

  • transactionid

  • serial

  • pass

Returns:

a json result with a boolean status and request result

Raises:

Exception – if an error occurs an exception is serialized and returned

check_t()

GET, POST /validate/check_t

Deprecated since version 3.2: Requests using HTTP GET method (because it is modifying data). This endpoint will only be available via HTTP POST method in the future.

check a session by transaction / state

Parameters:

  • pass

  • serial (transactionid or) –

Returns:

a json result with a boolean status and request result

Raises:

Exception – if an error occurs status in the response is set to false

check_yubikey()

GET, POST /validate/check_yubikey

Deprecated since version 3.2: Requests using HTTP GET method (because it is modifying data). This endpoint will only be available via HTTP POST method in the future.

This function is used to validate the output of a yubikey

Parameters:

pass – The password that consist of the static yubikey prefix and the otp

Returns:

JSON response:

{
    "version": "LinOTP 2.4",
    "jsonrpc": "2.0",
    "result": {
        "status": true,
        "value": false
    },
    "detail" : {
        "username": username,
        "realm": realm
    },
    "id": 0
}

Raises:

Exception – if an error occurs status in the response is set to false

deferred_functions: t.List[DeferredSetupFunction]
error_handler_spec: t.Dict[ft.AppOrBlueprintKey, t.Dict[t.Optional[int], t.Dict[t.Type[Exception], ft.ErrorHandlerCallable]]]

A data structure of registered error handlers, in the format {scope: {code: {class: handler}}}. The scope key is the name of a blueprint the handlers are active for, or None for all requests. The code key is the HTTP status code for HTTPException, or None for other exceptions. The innermost dictionary maps exception classes to handler functions.

To register an error handler, use the errorhandler() decorator.

This data structure is internal. It should not be modified directly and its format may change at any time.

fail()

return a failed response

Returns:

a json result with a status True and request result False

Raises:

Exception – if an error occurs status in the response is set to false

jwt_exempt = True
name: str
ok()

return a success response

Returns:

a json result with a status True and request result True

Raises:

Exception – if an error occurs status in the response is set to false

pair()

GET, POST /validate/pair

Deprecated since version 3.2: Requests using HTTP GET method (because it is modifying data). This endpoint will only be available via HTTP POST method in the future.

for the enrollment of qr and push token

Parameters:

pairing_response – the result from the token pairing request

Returns:

a json result with a boolean status and request result

Raises:

Exception – if an error occurs status in the response is set to false

reject_transaction()

GET, POST /validate/reject_transaction

Deprecated since version 3.2: Requests using HTTP GET method (because it is modifying data). This endpoint will only be available via HTTP POST method in the future.

rejects a transaction. - needs the mandatory url query parameters:

Parameters:

  • transactionid – unique id for the transaction

  • signature – signature for the rejection

Returns:

a json result with a boolean status and request result

Raises:

Exception – if an error occurs status in the response is set to false

samlcheck()

GET, POST /validate/samlcheck

Deprecated since version 3.2: Requests using HTTP GET method (because it is modifying data). This endpoint will only be available via HTTP POST method in the future.

This function is used to validate the username and the otp value/password in a SAML environment. If linotp.allowSamlAttributes = True then the attributes of the authenticated users are also contained in the response.

Parameters:

  • user – username / loginname

  • pass – the password that consists of a possible fixes password component and the OTP value

  • realm – (optional) realm to match the user to a useridresolver

Raises:

Exception – if an error occurs status in the response is set to false

simplecheck()

GET, POST /validate/simplecheck

Deprecated since version 3.2: Requests using HTTP GET method (because it is modifying data). This endpoint will only be available via HTTP POST method in the future.

This function is used to validate the username and the otp value/password.

Parameters:

  • user – username / loginname

  • pass – the password that consists of a possible fixes password component and the OTP value

  • realm – additional realm to match the user to a useridresolver

Returns:

Simple ascii response:

:-)

in case of success

:-(

in case of failed authentication

:-/

in case of any error

smspin()

GET, POST /validate/smspin

Deprecated since version 3.2: Requests using HTTP GET method (because it is modifying data). This endpoint will only be available via HTTP POST method in the future.

This function is used in conjunction with an SMS token: the user authenticates with user and pin (pass) and will receive on his mobile an OTP as message

Parameters:

  • user – username / loginname

  • pass – the password that consists of a possible fixed password

  • realm – additional realm to match the user to a useridresolver

Returns:

a json result with a boolean status and request result

Raises:

Exception – if an error occurs status in the response is set to false

teardown_request_funcs: t.Dict[ft.AppOrBlueprintKey, t.List[ft.TeardownCallable]]

A data structure of functions to call at the end of each request even if an exception is raised, in the format {scope: [functions]}. The scope key is the name of a blueprint the functions are active for, or None for all requests.

To register a function, use the teardown_request() decorator.

This data structure is internal. It should not be modified directly and its format may change at any time.

template_context_processors: t.Dict[ft.AppOrBlueprintKey, t.List[ft.TemplateContextProcessorCallable]]

A data structure of functions to call to pass extra context values when rendering templates, in the format {scope: [functions]}. The scope key is the name of a blueprint the functions are active for, or None for all requests.

To register a function, use the context_processor() decorator.

This data structure is internal. It should not be modified directly and its format may change at any time.

url_default_functions: t.Dict[ft.AppOrBlueprintKey, t.List[ft.URLDefaultCallable]]

A data structure of functions to call to modify the keyword arguments when generating URLs, in the format {scope: [functions]}. The scope key is the name of a blueprint the functions are active for, or None for all requests.

To register a function, use the url_defaults() decorator.

This data structure is internal. It should not be modified directly and its format may change at any time.

url_value_preprocessors: t.Dict[ft.AppOrBlueprintKey, t.List[ft.URLValuePreprocessorCallable]]

A data structure of functions to call to modify the keyword arguments passed to the view function, in the format {scope: [functions]}. The scope key is the name of a blueprint the functions are active for, or None for all requests.

To register a function, use the url_value_preprocessor() decorator.

This data structure is internal. It should not be modified directly and its format may change at any time.

view_functions: t.Dict[str, t.Callable]

A dictionary mapping endpoint names to view functions.

To register a view function, use the route() decorator.

This data structure is internal. It should not be modified directly and its format may change at any time.