16. Retrieving OTP values

Starting with LinOTP 2.4 it is possible to ask the LinOTP server for the OTP values of given tokens. This can be done by accessing the API:

You can either pass a serial number or the username. This function is used to set the “Tagespasswort” for a given user. As this can be seen as a security issue, several steps need to be taken to activate this function.

  • Not all tokens support the getotp function. At the moment only the DPW token supports this. I.e. even if you activate this function an HMAC token or an mOTP Token will never return its OTP value.

  • You need to configure the controller /gettoken/getotp in the Apache config file linotp2. i.e. you need to create a new users file gettoken-api so that you can authenticate to this controller. You could also activate client certificate authentication for this controller to gain maximum security.:

    <Location /gettoken>
         AuthType Digest
         AuthName "LinOTP2 gettoken"
         AuthDigestProvider file
         AuthUserFile /etc/linotp2/gettoken-api
         Require valid-user
     </Location>
    
  • You need to activate this controller in the /etc/linotp2/linotp.ini file like this:

    linotpGetotp.active = True
    

Finally you need to define policies, which user is allowed to retrieve how many otp values. For defining such a gettoken policy see section Gettoken Policies.