Api for adding a new user+otp

Question
21

Q29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi9wZ3Atc2lnbmF0dXJlOyBuYW1lPSJzaWduYXR1cmUu
YXNjIg0KQ29udGVudC1EZXNjcmlwdGlvbjogT3BlblBHUCBkaWdpdGFsIHNpZ25hdHVyZQ0KQ29u
dGVudC1EaXNwb3NpdGlvbjogYXR0YWNobWVudDsgZmlsZW5hbWU9InNpZ25hdHVyZS5hc2MiDQoN
Ci0tLS0tQkVHSU4gUEdQIFNJR05BVFVSRS0tLS0tDQpWZXJzaW9uOiBHbnVQRyB2MQ0KDQppUUlj
QkFFQkFnQUdCUUpVVkttNEFBb0pFQkJoWkZVdWpZRkpCcFFQL1IwMzFhMEFQUDc4QmtmeCtxNkpk
WnFLDQoyUmZYVUhueXpHNzJSa3R6Y2JKa01NcVRjZFE5ODB3NmxIb3JJS3Jta21MV21mMVQxQWR4
S3MxU21DUVU5SGRFDQo0RUhiYjE4WEdGblZrU3VQTnpLTUVPakc5ZHM0K1BOcGNEQWZzTjNDQVox
TFU3c05vZTFCOXMyQTkxRyt0Wm9CDQpWaGFOZVY1RFNmT09IZjdLYlRSZWRGT1JIMXNUeGwwMXhF
eVpPNlYyYWo3WnBhbFgvSlFQVEFMQzVvVURHeGdqDQpGSVdxbCtTM1FWZ3ZPbWVzcHB4RitoRkNV
RDdXa1JmMm9hMVpBYVJQQlhnN0Q5L3NYczN3T2ZVemVuU0ZSK2dNDQpKb1pEMHI4Z09JaHk3U2My
ZnYvVjl0cnZWRmFUYUZRSko3SWVxM0RqSEVlanczbytTSzNkN2hqMU1JK0YzYmxaDQpkZUlzck1Z
cy9yNlpOdFNQNHhWWmMzUktrNjBER3A1ekF0ZWhGZE1NcDlPTW95UVZHN0ZlNnJBaXAyRjhRUy9k
DQpUSEp2OHZ0VllUYWh3S3BHL2VXKzRGa1ZvZko4ZzAwUXA3dzY4TjJqSWxaMmpyS1VzZzFzRStB
MU9LdzdQaGdrDQprdmozbkh6Q3ErQ2FqOFpQOGd5OFJldWozL3N4VzhZZUYwdFBUYmdLLzdQL2dI
eHEvbU8yVmhaeXI0THY4dXpEDQpXQ1RFQVVIU2p4NnY3N3V3QzlueEJ3cm9BZGNPMlRJQzBRTHVl
YURvV2JPcVQrOEtPZEI3TDNBb1gveXFtQlNKDQpzTi9KQWQrVXpvejhHSVFJN0x2UldrODhvZ205
SDBjZ1dza1Fmc1FUeVZDeC8xZ2c1THlJdXhzSmdETDJyRFhvDQp6UVA1VzVzcWp6Mm5ITm05VG4y
Sw0KPXBMSGsNCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQ0K

22

Q29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi9wZ3Atc2lnbmF0dXJlOyBuYW1lPSJzaWduYXR1cmUu
YXNjIg0KQ29udGVudC1EZXNjcmlwdGlvbjogT3BlblBHUCBkaWdpdGFsIHNpZ25hdHVyZQ0KQ29u
dGVudC1EaXNwb3NpdGlvbjogYXR0YWNobWVudDsgZmlsZW5hbWU9InNpZ25hdHVyZS5hc2MiDQoN
Ci0tLS0tQkVHSU4gUEdQIFNJR05BVFVSRS0tLS0tDQpWZXJzaW9uOiBHbnVQRyB2MQ0KDQppUUlj
QkFFQkFnQUdCUUpVVkoxSUFBb0pFQkJoWkZVdWpZRkpncGNRQUxDMUhjcmtJSHhnWjJYMWFlaWZH
Z3JSDQpvNUEzR3NkTUJmbnpTOTZVSEFVcFozTGM1TzFsbGlPMEtTWlVqa2hkNmV5QlBBSjlWMFln
b3JrSDN3c3o5SE1QDQpmVGZPaXlIN1JQbFU5RHVKZXlibFR4cnNVL0lYdUdveE05djJ0eitsYjNJ
NlB1bWNhekRVTElCcnFFVHFaWSt6DQp5L0s2M1pGMVQ0VUpYNERPNVdJMVRZWXJkZ0xYWDBEWFNC
eE5vMHNxT3VtZ2VaQi9vVE9SYWJEczFwUWJuYTVsDQo2eTlwSlNsMzRGN3l6aWt4cTVWYmV4bXI3
cTlOLzFNejNWZlBqc2MvQVdBbUtkZWJTNmhNaW5iR2VVdTlLSXA0DQo5L3IwbXFxWEJtZXQ2amti
ZUtXVzV5cnE5WUJBb0hOYklHeWVrQnArb3A3ZUdaV0RzRFA0dXVua0J5SkZWS0NNDQp6dzhFMGZh
ckxNSU81b21BZlZDWklpZW96RU4vNTV6ajFBMDdLUkhvOStjK0hsYlJINmJSRHFmUUJCbGN5S2cr
DQpMUlFvZUxiRnZrMjVDSTZOblpsemZ0M3FHVFpjRWV0R205R2Ird3BxV3YxNy81VHpYeUJPeWVa
aXBIdSt5bW5iDQp3dVZSMWVMWnM0eDBtV1Y4UTJ0dk9KMEJWOHE4M2J0eSt6aVlHS0dVVFRVWDZO
K0lFWVRLMXpwQVp3aXBvZGZODQpMZmNrVFRXUTJTV2hxZjltcjMwNEg3eUtTcVpycFliZTUrKzZi
UzdwT2xzWW56OWRualowcVkzVytla1VJVEIyDQpuVlZpalBjOTB4eisyY3htazJ3aWZIZG9Nekxt
eGdYNzhWTzJhdXd2MUJTUW0zajhMZjQvYjh1UU1TMFZrY01tDQpGeUgwZU9FcCtYSVAxa0M2OU1w
cA0KPVpHcVgNCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQ0K

23

Aaaah ok, you’re right :slight_smile:
I thought that this was the correct way to retrive the token :slight_smile:
So I have to change the API of ym web service like this:

  1. admin/init
  2. admin/assign
  3. admin/enable
  4. enroll so a user can use an app like “freeOTP” to get the token by
    pushing a button
  5. check auth

My problem is how I can implement the point 4. I’m writing this because my
project is a python web client which made some get/post requests to various
endpoints. So what I would like to know is how I can enroll a token (for
using it, for example, with FreeOTP) but without scanning the qrcode
(because I have to enroll via terminal)
Thx :)On Saturday, November 1, 2014 9:43:54 AM UTC+1, Cornelius Kölbel wrote:

yes, but why are you looking at getotp?
I assume that you will use some kind of HOTP tokens which will generate
the one time password.
So you do not need to ask privacyidea for the one time password.

The normal workflow would be

  1. enroll or import the seed of the hardware token
  2. push the button
  3. call /validate/check?user=student&pass=secret234765

Kind regards
Cornelius

Am 01.11.2014 um 09:35 schrieb Paolo:

I got confused between HTOP and TOTP :slight_smile:
For my purposes (project for a university course) this is perfect, I don’t
need the extra security of TOTP :wink:

Thanks a lot for your help :slight_smile:

On Saturday, November 1, 2014 9:23:28 AM UTC+1, Cornelius Kölbel wrote:

This is the somehow strange effect of the getotp idea.

You could also set max_count_hotp=30 and request the 30 next HOTP values
thus creating some kind of OTP list.
You can do this in the self service portal.

The getotp idea was originally used, when you have a proprietary backend
system, that does not allow to authenticate against RADIUS. If the backend
system allows to change passwords, than you can issue a getotp request on a
DPW (daily changing password) and set the password in the proprietary
system. Thus the user could authenticate to the proprietary system with a
different password every day.

How do you want to use getotp?

Thanks a lot for your patience. Any feedback is appreciated.

Kind regards
Cornelius

Am 01.11.2014 um 09:06 schrieb Paolo:

I’m sorry it’s all ok :slight_smile: the HOTP value changes when it has been used :wink:

On Saturday, November 1, 2014 8:57:45 AM UTC+1, Paolo wrote:

wohooooo :smiley:
now it is working perfectly :slight_smile: :slight_smile: :slight_smile:

Thanks a lot Cornelius

On Saturday, November 1, 2014 1:04:00 AM UTC+1, corneliu…@netknights.it wrote:

Hi Paolo,
I uploaded a new package 1.5dev7 in the ppa dev repository.
This contains a fix for user policies.
Can you try running this?
Thanks a lot
Cornelius

Am Donnerstag, 23. Oktober 2014 17:46:15 UTC+2 schrieb Paolo:

Is it possible to add a new user with a custom python script? (I need
to dynamically add users to privacyidea upon a registration…


You received this message because you are subscribed to the Google Groups
“privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/249de54f-e8d6-4c5b-999a-1333b4ffcb5b%40googlegroups.com
https://groups.google.com/d/msgid/privacyidea/249de54f-e8d6-4c5b-999a-1333b4ffcb5b%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

24

This is the perfect solution :smiley:
Thanks a lot, you helped me a lot!!

If you need something, I’m here :wink: (I’m already working on the Italian
translation but this will take me some times)On Saturday, November 1, 2014 10:19:56 AM UTC+1, Cornelius Kölbel wrote:

Hi Paolo,

usually you would use the web UI, that comes with privacyIDEA.
Just call https://yourserver/
and login as administrator.

On the left side you see the “enroll” button.
Choose tokentype TOTP and click
the server generates the key.

You will see a QR COde, which you can scan with freeOTP.

If you want the user to do this, you can use the self service portal.
The user logs into the selfservice portal and (you need to define a
policy, what the user is allowed to do in the portal), the user can
enroll a FreeOTP token for and on his own.
(https://privacyidea.org/doc/1.5dev7/policies/selfservice.html)

Kind regards
Cornelius

Am 01.11.2014 um 09:55 schrieb Paolo:

Aaaah ok, you’re right :slight_smile:
I thought that this was the correct way to retrive the token :slight_smile:
So I have to change the API of ym web service like this:

  1. admin/init
  2. admin/assign
  3. admin/enable
  4. enroll so a user can use an app like “freeOTP” to get the token by
    pushing a button
  5. check auth

My problem is how I can implement the point 4. I’m writing this
because my project is a python web client which made some get/post
requests to various endpoints. So what I would like to know is how I
can enroll a token (for using it, for example, with FreeOTP) but
without scanning the qrcode (because I have to enroll via terminal)
Thx :slight_smile:

25

I’m sorry it’s all ok :slight_smile: the HOTP value changes when it has been used ;)On Saturday, November 1, 2014 8:57:45 AM UTC+1, Paolo wrote:

wohooooo :smiley:
now it is working perfectly :slight_smile: :slight_smile: :slight_smile:

Thanks a lot Cornelius

On Saturday, November 1, 2014 1:04:00 AM UTC+1, corneliu…@netknights.it wrote:

Hi Paolo,
I uploaded a new package 1.5dev7 in the ppa dev repository.
This contains a fix for user policies.
Can you try running this?
Thanks a lot
Cornelius

Am Donnerstag, 23. Oktober 2014 17:46:15 UTC+2 schrieb Paolo:

Is it possible to add a new user with a custom python script? (I need to
dynamically add users to privacyidea upon a registration…

26

Hi Paolo,
I uploaded a new package 1.5dev7 in the ppa dev repository.
This contains a fix for user policies.
Can you try running this?
Thanks a lot
CorneliusAm Donnerstag, 23. Oktober 2014 17:46:15 UTC+2 schrieb Paolo:

Is it possible to add a new user with a custom python script? (I need to
dynamically add users to privacyidea upon a registration…

27

wohooooo :smiley:
now it is working perfectly :slight_smile: :slight_smile: :slight_smile:

Thanks a lot CorneliusOn Saturday, November 1, 2014 1:04:00 AM UTC+1, corneliu…@netknights.it wrote:

Hi Paolo,
I uploaded a new package 1.5dev7 in the ppa dev repository.
This contains a fix for user policies.
Can you try running this?
Thanks a lot
Cornelius

Am Donnerstag, 23. Oktober 2014 17:46:15 UTC+2 schrieb Paolo:

Is it possible to add a new user with a custom python script? (I need to
dynamically add users to privacyidea upon a registration…

28

Hi Paolo,

usually you would use the web UI, that comes with privacyIDEA.
Just call https://yourserver/
and login as administrator.

On the left side you see the “enroll” button.
Choose tokentype TOTP and click
the server generates the key.

You will see a QR COde, which you can scan with freeOTP.

If you want the user to do this, you can use the self service portal.
The user logs into the selfservice portal and (you need to define a
policy, what the user is allowed to do in the portal), the user can
enroll a FreeOTP token for and on his own.
(https://privacyidea.org/doc/1.5dev7/policies/selfservice.html)

Kind regards
CorneliusAm 01.11.2014 um 09:55 schrieb Paolo:

Aaaah ok, you’re right :slight_smile:
I thought that this was the correct way to retrive the token :slight_smile:
So I have to change the API of ym web service like this:

  1. admin/init
  2. admin/assign
  3. admin/enable
  4. enroll so a user can use an app like “freeOTP” to get the token by
    pushing a button
  5. check auth

My problem is how I can implement the point 4. I’m writing this
because my project is a python web client which made some get/post
requests to various endpoints. So what I would like to know is how I
can enroll a token (for using it, for example, with FreeOTP) but
without scanning the qrcode (because I have to enroll via terminal)
Thx :slight_smile:

29

I got confused between HTOP and TOTP :slight_smile:
For my purposes (project for a university course) this is perfect, I don’t
need the extra security of TOTP :wink:

Thanks a lot for your help :)On Saturday, November 1, 2014 9:23:28 AM UTC+1, Cornelius Kölbel wrote:

This is the somehow strange effect of the getotp idea.

You could also set max_count_hotp=30 and request the 30 next HOTP values
thus creating some kind of OTP list.
You can do this in the self service portal.

The getotp idea was originally used, when you have a proprietary backend
system, that does not allow to authenticate against RADIUS. If the backend
system allows to change passwords, than you can issue a getotp request on a
DPW (daily changing password) and set the password in the proprietary
system. Thus the user could authenticate to the proprietary system with a
different password every day.

How do you want to use getotp?

Thanks a lot for your patience. Any feedback is appreciated.

Kind regards
Cornelius

Am 01.11.2014 um 09:06 schrieb Paolo:

I’m sorry it’s all ok :slight_smile: the HOTP value changes when it has been used :wink:

On Saturday, November 1, 2014 8:57:45 AM UTC+1, Paolo wrote:

wohooooo :smiley:
now it is working perfectly :slight_smile: :slight_smile: :slight_smile:

Thanks a lot Cornelius

On Saturday, November 1, 2014 1:04:00 AM UTC+1, corneliu…@netknights.it wrote:

Hi Paolo,
I uploaded a new package 1.5dev7 in the ppa dev repository.
This contains a fix for user policies.
Can you try running this?
Thanks a lot
Cornelius

Am Donnerstag, 23. Oktober 2014 17:46:15 UTC+2 schrieb Paolo:

Is it possible to add a new user with a custom python script? (I need
to dynamically add users to privacyidea upon a registration…


You received this message because you are subscribed to the Google Groups
“privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/249de54f-e8d6-4c5b-999a-1333b4ffcb5b%40googlegroups.com
https://groups.google.com/d/msgid/privacyidea/249de54f-e8d6-4c5b-999a-1333b4ffcb5b%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbelcorneliu…@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbHhttp://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel