linotp.tokens.hmactoken module

This file containes the dynamic hmac token implementation: - HmacTokenClas (HOTP)

class linotp.tokens.hmactoken.HmacTokenClass(a_token)[source]

Bases: linotp.tokens.base.TokenClass

hotp token class implementation

autosync(hmac2Otp, anOtpVal)[source]

auto - sync the token based on two otp values - internal method to realize the autosync within the checkOtp method

  • hmac2Otp (hmac object) – the hmac object (with reference to the token secret)
  • anOtpVal (string) – the actual otp value

counter or -1 if otp does not exist

Return type:


checkOtp(anOtpVal, counter, window, options=None)[source]

checkOtp - validate the token otp against a given otpvalue

  • anOtpVal (string) – the to be verified otpvalue
  • counter (int) – the counter state, that should be verified
  • window (int) – the counter +window, which should be checked
  • options (dict) – the dict, which could contain token specific info

the counter state or -1

Return type:


checkResponse4Challenge(user, passw, options=None, challenges=None)[source]

verify the response of a previous challenge

  • user – the requesting user
  • passw – the to be checked pass (pin+otp)
  • options – options an additional argument, which could be token specific
  • challenges – the list of challenges, where each challenge is described as dict

tuple of (otpcounter and the list of matching challenges)

check_otp_exist(otp, window=10, user=None, autoassign=False)[source]

checks if the given OTP value is/are values of this very token. This is used to autoassign and to determine the serial number of a token.

  • otp (string) – the to be verified otp value
  • window (int) – the lookahead window for the counter

counter or -1 if otp does not exist

Return type:


createChallenge(state, options=None)[source]

create a challenge, which is submitted to the user

  • state – the state/transaction id
  • options – the request context parameters / data

tuple of (bool, message and data) message is submitted to the user data is preserved in the challenge attributes are additional attributes, which could be returned

classmethod getClassInfo(key=None, ret='all')[source]

getClassInfo - returns a subtree of the token definition

  • key (string) – subsection identifier
  • ret (user defined) – default return value, if nothing is found

subsection if key exists or user defined

Return type:


classmethod getClassPrefix()[source]
classmethod getClassType()[source]

getClassType - return the token type shortname

Return type:string
getInitDetail(params, user=None)[source]

to complete the token normalisation, the response of the initialiastion should be build by the token specific method, the getInitDetails


get the next OTP value

Returns:next otp value
Return type:string

get the token sync timeout value

Returns:timeout value in seconds
Return type:int
get_multi_otp(count=0, epoch_start=0, epoch_end=0, curTime=None)[source]

return a dictionary of multiple future OTP values of the HOTP/HMAC token

Parameters:count (int) – how many otp values should be returned
Returns:tuple of status: boolean, error: text and the OTP dictionary
is_challenge_request(passw, user, options=None)[source]

check, if the request would start a challenge

  • default: if the passw contains only the pin, this request would

trigger a challenge

  • in this place as well the policy for a token is checked
  • passw – password, which might be pin or pin+otp
  • options – dictionary of additional request parameters

returns true or false

is_challenge_response(passw, user, options=None, challenges=None)[source]

This method checks, if this is a request, that is the response to a previously sent challenge.

The default behaviour to check if this is the response to a previous challenge is simply by checking if the request contains a parameter state or transactionid i.e. checking if the options parameter contains a key state or transactionid.

This method does not try to verify the response itself! It only determines, if this is a response for a challenge or not.

  • passw (string) – password, which might be pin or pin+otp
  • user (User object) – the requesting user
  • options ((dict)) – dictionary of additional request parameters
  • challenges – A list of challenges for this token. These challenges may be used, to identify if this request is a response for a challenge.

true or false

resync(otp1, otp2, options=None)[source]

resync the token based on two otp values - external method to do the resync of the token

  • otp1 (string) – the first otp value
  • otp2 (string) – the second otp value
  • options (dict or None) – optional token specific parameters

counter or -1 if otp does not exist

Return type:


update(param, reset_failcount=True)[source]

update - process the initialization parameters

Parameters:param (dict) – dict of initialization parameters