linotp.controllers.userservice module¶
- userservice controller -
This is the controller for the user self service interface, where an authenitcated users can manage their own tokens
- There are three types of requests
the context requests: before, context
the auth requests: auth, userinfo
the admin requests
At least all admin request must provide the auth cookie and the username - the auth cookie is verified by decryption - the username is checked for valid policy acceptance
- Remarks:
the userinfo request could use the cookie check as it is running after the authorization request, but no policy definition is required
the context request might as well run for an authenticated user, thus auth request but no policy check
- exception linotp.controllers.userservice.UserNotFound¶
Bases:
Exception
- class linotp.controllers.userservice.UserserviceController(name, install_name='', **kwargs)¶
Bases:
BaseController
the interface from the service into linotp to execute the actions for the user in the scope of the selfservice
after the login, the selfservice user gets an auth cookie, which states that he already has been authenticated. This cookie is provided on every request during which the auth_cookie and session is verified
- activateocratoken()¶
POST /userservice/activateocratoken
activateocratoken - called from the selfservice web ui to activate the OCRA token
- Parameters
type – ‘ocra2’
serial – serial number of the token
activationcode – the calculated activation code
- Returns
dict about the token { ‘activate’: True, ‘ocratoken’ : {
’url’ : url, ‘img’ : ‘<img />’, ‘label’ : “%s@%s” % (g.authUser.login,
g.authUser.realm),
’serial’ : serial,
} }
- Raises
Exception – if an error occurs an exception is serialized and returned
- assign()¶
POST /userservice/assign
This is the internal assign function that is called from within the self service portal
- Parameters
serial – the token serial
description – an optional description
pin – the new token pin
- Returns
a json result with a boolean status and request result
- Raises
Exception – if an error occurs an exception is serialized and returned
- auth()¶
GET, POST /userservice/auth
Deprecated since version 3.2: Requests using HTTP GET method (because it is modifying data). This endpoint will only be available via HTTP POST method in the future.
user authentication for example to the remote selfservice
- Parameters
login – login name of the user normaly in the user@realm format
realm – the realm of the user
password – the password for the user authentication which is base32 encoded to seperate the os_passw:pin+otp in case of mfa_login
- Returns
{result : {value: bool} }
- Raises
Exception – if an error occurs an exception is serialized and returned
- context()¶
GET, POST /userservice/context
Deprecated since version 3.2: Requests using HTTP POST method (because it is only reading data). This endpoint will only be available via HTTP GET method in the future.
This is the authentication to self service If you want to do ANYTHING with selfservice, you need to be authenticated. The _before_ is executed before any other function in this controller.
- Returns
a json result with a boolean status and request result
- Raises
Exception – if an error occurs an exception is serialized and returned
- delete()¶
POST /userservice/delete
This is the internal delete token function that is called from within the self service portal. The user is only allowed to delete token, that belong to him.
- Parameters
serial – the serial number of the token
- Returns
a json result with a boolean status and request result
- Raises
Exception – if an error occurs an exception is serialized and returned
- delete_cookie(name)¶
- disable()¶
POST /userservice/disable
disables a token
as this is a controller method, the parameters are taken from BaseController.request_params
- Parameters
serial – serial number of the token *required
user – username in format user@realm *required
- Returns
a linotp json doc with result {u’status’: True, u’value’: 2}
- enable()¶
POST /userservice/enable
enables a token or all tokens of a user
as this is a controller method, the parameters are taken from BaseController.request_params
- Parameters
serial – serial number of the token *required
user – username in format user@realm *required
- Returns
a linotp json doc with result {u’status’: True, u’value’: 2}
- enroll()¶
POST /userservice/enroll
Enroll a token.
Note
Depending on the token type more parameters have to be provided as http parameters
- Parameters
type – one of (hmac, totp, pw, …)
serial – a suggested serial number
prefix – a prefix for the serial number
description – an optional description for the token
otppin – the pin for the token
pin – (Deprecated) a legacy parameter for token pin. Use otppin instead.
- Returns
a json result with a boolean status and request result
- Raises
Exception – if an error occurs an exception is serialized and returned
- finishocra2token()¶
POST /userservice/finishocra2token
- finishocra2token - called from the selfservice web ui to finish
the OCRA2 token to run the final check_t for the token
- Parameters
passw – the calculated verificaton otp
transactionid – the transactionid
- Returns
dict about the token
- Raises
Exception – if an error occurs an exception is serialized and returned
- getSerialByOtp()¶
GET, POST /userservice/getSerialByOtp
Deprecated since version 3.2: Requests using HTTP POST method (because it is only reading data). This endpoint will only be available via HTTP GET method in the future.
searches for the token, that generates the given OTP value. The search can be restricted by several critterions This method only searches tokens in the realm of the user and tokens that are not assigned!
- Parameters
otp – (required) Will search for the token, that produces this OTP value
type – (optional) will only search in tokens of type
- Returns
a json result with a boolean status and serial in the result
- Raises
Exception – if an error occurs an exception is serialized and returned
- getmultiotp()¶
GET, POST /userservice/getmultiotp
Deprecated since version 3.2: Requests using HTTP POST method (because it is only reading data). This endpoint will only be available via HTTP GET method in the future.
Using this function the user may receive OTP values for his own tokens.
- Parameters
count – number of otp values to return
- Returns
a json result with a boolean status and request result
- Raises
Exception – if an error occurs an exception is serialized and returned
- history()¶
GET, POST /userservice/history
Deprecated since version 3.2: Requests using HTTP POST method (because it is only reading data). This endpoint will only be available via HTTP GET method in the future.
This returns the list of the tokenactions of this user It returns the audit information for the given search pattern
key, value pairs as search patterns.
- or: Usually the key=values will be locally AND concatenated.
it a parameter or=true is passed, the filters will be OR concatenated.
- The Flexigrid provides us the following parameters:
(‘page’, u‘1’), (‘rp’, u‘100’), (‘sortname’, u’number’), (‘sortorder’, u’asc’), (‘query’, u’‘), (‘qtype’, u’serial’)]
- Parameters
page –
rp –
sortname –
sortorder –
query –
- Returns
a json result with a boolean status and request result
- Raises
Exception – if an error occurs an exception is serialized and returned
- jwt_exempt = True¶
- login()¶
GET, POST /userservice/login
Deprecated since version 3.2: Requests using HTTP GET method (because it is modifying data). This endpoint will only be available via HTTP POST method in the future.
user authentication for example to the remote selfservice
- Parameters
login – login name of the user normaly in the user@realm format
realm – the realm of the user
password – the password for the user authentication
otp – optional the otp
- Returns
{result : {value: bool} }
- Raises
Exception – if an error occurs an exception is serialized and returned
- logout()¶
hook for the auth, which deletes the cookies of the current session
- Returns
a json result with a boolean status and request result
- Raises
Exception – if an error occurs an exception is serialized and returned
- pre_context()¶
GET, POST /userservice/pre_context
Deprecated since version 3.2: Requests using HTTP POST method (because it is only reading data). This endpoint will only be available via HTTP GET method in the future.
This is the authentication to self service If you want to do ANYTHING with selfservice, you need to be authenticated. The _before_ is executed before any other function in this controller.
- Returns
a json result with a boolean status and request result
- Raises
Exception – if an error occurs an exception is serialized and returned
- reset()¶
POST /userservice/reset
This internally resets the failcounter of the given token.
- Parameters
serial – the serial number of the token
- Returns
a json result with a boolean status and request result
- Raises
Exception – if an error occurs an exception is serialized and returned
- resync()¶
POST /userservice/resync
This is the internal resync function that is called from within the self service portal
- Parameters
serial – the serial number of the token
otp1 – the first otp for the sequence
otp2 – the second otp for the sequence
- Returns
a json result with a boolean status and request result
- Raises
Exception – if an error occurs an exception is serialized and returned
- set_cookie(name, **kwargs)¶
- setdescription()¶
POST /userservice/setdescription
sets a description for a token, provided the setDescription policy is set.
as this is a controller method, the parameters are taken from BaseController.request_params
- Parameters
serial – serial number of the token *required
description – string containing a new description for the token
- Returns
a linotp json doc with result {‘status’: True, ‘value’: True}
- Raises
Exception – if an error occurs an exception is serialized and returned
- setmpin()¶
POST /userservice/setmpin
When the user hits the set pin button, this function is called.
- Parameters
serial – the serial number of the token
pin – the pin for the token
- Returns
a json result with a boolean status and request result
- Raises
Exception – if an error occurs an exception is serialized and returned
- setpin()¶
POST /userservice/setpin
When the user hits the set pin button, this function is called.
- Parameters
serial – the serial number of the token
userpin – the pin for the token
- Returns
a json result with a boolean status and request result
- Raises
Exception – if an error occurs an exception is serialized and returned
- unassign()¶
POST /userservice/unassign
This is the internal unassign function that is called from within the self service portal. The user is only allowed to unassign token, that belong to him.
- Parameters
serial – the serial number of the token
- Returns
a json result with a boolean status and request result
- Raises
Exception – if an error occurs an exception is serialized and returned
- userinfo()¶
GET, POST /userservice/userinfo
Deprecated since version 3.2: Requests using HTTP POST method (because it is only reading data). This endpoint will only be available via HTTP GET method in the future.
hook for the auth, which requests additional user info
- Returns
a json result with a boolean status and request result
- Raises
Exception – if an error occurs an exception is serialized and returned
- usertokenlist()¶
GET, POST /userservice/usertokenlist
Deprecated since version 3.2: Requests using HTTP POST method (because it is only reading data). This endpoint will only be available via HTTP GET method in the future.
This returns a tokenlist as html output
- Parameters
active – (optional) True or False - should only active or inactive tokens be returned default is to show both
- Returns
a tokenlist as html output
- Raises
Exception – if an error occurs an exception is serialized and returned
- verify()¶
GET, POST /userservice/verify
Deprecated since version 3.2: Requests using HTTP GET method (because it is modifying data). This endpoint will only be available via HTTP POST method in the future.
verify a token, identified by a serial number
after a successful authentication and a valid session, the idenitfied user can verify his enrolled tokens. To verify the token, the token serial number is used.
for direct authenticating tokens like hmac and totp, the parameter otp is required:
a valid verification request example would be:
replied by the usual /validate/check json response
- {
- “jsonrpc”: “2.XX”,
- “result”: {
“status”: true, “value”: true
}, “version”: “LinOTP 2.XX”, “id”: 1
}
- Parameters
serial –
transactionid –
otp –
session –
- Returns
a json result with a boolean status and request result
- Raises
Exception – if an error occurs an exception is serialized and returned
- webprovision()¶
POST /userservice/webprovision
This function is called, when the create OATHtoken button is hit. This is used for web provisioning. See:
- in param:
- type: valid values are “oathtoken” and “googleauthenticator” and
“googleauthenticator_time”
description: string containing a description for the token
It returns the data and the URL containing the HMAC key
- Parameters
type – one of [oathtoken, googleauthenticator, googleauthenticator_time, ocra2]
description – a dicrption which might be set for the token
serial – (optional) a serial number could be sugggested
- Returns
a json result with a boolean status and request result
- Raises
Exception – if an error occurs an exception is serialized and returned
- linotp.controllers.userservice.add_and_delete_cookies(response)¶
Given a Response object, add or delete cookies as per the g.cookies_to_delete and g.cookies variables.
- linotp.controllers.userservice.get_auth_user(request)¶
retrieve the authenticated user either from selfservice or userservice api / remote selfservice
- Parameters
request – the request object
- Returns
tuple of (authentication type and authenticated user and authentication state)
- linotp.controllers.userservice.secure_cookie()¶
in the development environment where we run in debug mode there is probaly no https defined. So we switch secure cookies off. this is done in the settings.py
- linotp.controllers.userservice.sendResult(obj, id=1, opt=None, status=True)¶
extend the standard sendResult to handle cookies
- linotp.controllers.userservice.unauthorized(exception, status=401)¶
extend the standard sendResult to handle cookies