linotp.tokens.forwardtoken module

This file file contains the Forward token class

class linotp.tokens.forwardtoken.ForwardTokenClass(aToken)

Bases: TokenClass

The Forward token forwards an authentication request to another token. specified by a serial number. The PIN is only checked local.

Using the Forward token you can assign one physical token to many different users.

authenticate(passw, user, options=None)

do the authentication on base of password / otp and serial and options, the request parameters.

Parameters

  • passw – the password / otp

  • user – the requesting user

  • options – the additional request parameters

Returns

tupple of (success, otp_count - 0 or -1, reply)

checkResponse4Challenge(user, passw, options=None, challenges=None)

This method verifies if the given passw matches any existing challenge of the token.

It then returns the new otp_counter of the token and the list of the matching challenges.

In case of success the otp_counter needs to be >= 0. The matching_challenges is passed to the method challenge_janitor() to clean up challenges.

Parameters

  • user – the requesting user

  • passw – the password (pin+otp)

  • options – additional arguments from the request, which could be token specific

  • challenges – A sorted list of valid challenges for this token.

Returns

tuple of (otpcounter and the list of matching challenges)

check_challenge_response(challenges, user, passw, options: Optional[dict] = None)

reply the challenges of the target token

we are a proxy for the challenge handling: - we have to inform the target token that it has to deal with the

challenges of the forward token and

  • on the reply, we have to replace the target token lists with ourself

only the matching challenges are derived from the target token but with the option above should be our ones :)

createChallenge(transactionid, options=None)

create a challenge if the target token does support this

do_request(passw, transactionid=None, user=None)

run the http request against the forward host

Parameters

  • passw – the password which should be checked on the forward host

  • transactionid – provided, if this is a challenge response

  • user – the requesting user - used if no forward serial or forward user is provided

Returns

Tuple of (success, otp_count= -1 or 0, reply=forward response)

classmethod getClassInfo(key=None, ret='all')

getClassInfo - returns a subtree of the token definition

Parameters

  • key – subsection identifier

  • ret – default return value, if nothing is found

Returns

subsection if key exists or user defined

classmethod getClassPrefix()

return the token type prefix

classmethod getClassType()

return the class type identifier

getOfflineInfo()

interface the offline capability of the target token

is_challenge_request(passw, user, options=None)

This method checks, if this is a request, that triggers a challenge. The pin is checked locally only

Parameters

  • passw – password, which might be pin or pin+otp

  • user – The user from the authentication request

  • options – dictionary of additional request parameters

Returns

true or false

statusValidationFail()

with this hook we * increment the target token otp count to prevent replay and * optionally increment the target fail count

statusValidationSuccess()

with this hook we * increment the target token otp count to prevent replay and * optionally reset the target token failcounter

property supports_offline_mode

getter - to check if the target token supports offline support

update(param)

second phase of the init process - updates token specific parameters

Parameters

param – the request parameters

Returns

  • nothing -

linotp.tokens.forwardtoken.do_forward_failcounter(token)

this function checks the for the policy

scope=authentication, action=forwardtoken:no_failcounter_forwarding

defining if the target token failcounter should be incremented / reseted

Parameters

serial – the token serial number, which allows to derive the realm(s) and owner from

Returns

boolean