linotp.tokens.u2ftoken module

class linotp.tokens.u2ftoken.U2FTokenClass(aToken)[source]

Bases: linotp.tokens.base.TokenClass

U2F token class implementation

The U2F protocol as specified by the FIDO Alliance uses public key cryptography to perform second factor authentications. On registration the U2F compatible token creates a public/private key pair and sends the public key to the relying party (i.e. this LinOTP class). On authentication the U2F compatible token uses the private key to sign a challenge received from the relying party. This signature can be checked by the relying party using the public key received during registration.

checkOtp(passw, counter, window, options=None)[source]

checkOtp - standard callback of linotp to verify the token

  • passw (string) – the passw / otp, which has to be checked
  • counter (int) – the start counter
  • window (int) – the window, in which the token is valid
  • options (dict) – options

verification counter or -1

Return type:

int (-1)

checkResponse4Challenge(user, passw, options=None, challenges=None)[source]

This method verifies if the given passw matches any existing challenge of the token.

It then returns the new otp_counter of the token and the list of the matching challenges.

In case of success the otp_counter needs to be > 0. The matching_challenges is passed to the method challenge_janitor() to clean up challenges.

  • user (User object) – the requesting user
  • passw (string) – the password (pin+otp)
  • options (dict) – additional arguments from the request, which could be token specific
  • challenges (list) – A sorted list of valid challenges for this token.

tuple of (otpcounter and the list of matching challenges)

createChallenge(transactionid, options=None)[source]

create a challenge, which is submitted to the user

  • state – the state/transaction id
  • options – the request context parameters / data

tuple of (bool, message and data) message is submitted to the user data is preserved in the challenge attributes are additional attributes, which could be returned

classmethod getClassInfo(key=None, ret='all')[source]

getClassInfo - returns a subtree of the token definition

  • key (string) – subsection identifier
  • ret (user defined) – default return value, if nothing is found

subsection if key exists or user defined

Return type:


classmethod getClassPrefix()[source]
classmethod getClassType()[source]

getClassType - return the token type shortname

Return type:string
getInitDetail(params, user=None)[source]

to complete the token normalisation, the response of the initialisation should be built by the token specific method, the getInitDetails

is_challenge_request(passw, user, options=None)[source]

check if the request would start a challenge

  • default: if the passw contains only the pin, this request would

trigger a challenge

  • in this place as well the policy for a token is checked
  • passw – password, which might be pin or pin+otp
  • options – dictionary of additional request parameters

returns true or false


Split pin and otp given in the passw parameter

Parameters:passw – string representing pin+otp
Returns:returns tuple true or false for res, the pin value for pin and the otp value for otpval
update(param, reset_failcount=False)[source]