Headless authentication

Dear community,

is there a mechanism for machine to machine authentication in alternative of SPass?

What do you want to achieve?

What is your definition of machine to machine authentication?

unattended login with a functional account :slight_smile:
I.e. a service logging into an api protected with privacyidea.

You can use the SPASS token or the PW (password) token type.

But I would also consider using the SSHkey tokentype. You can upload the public ssh key to privacyIDEA an configure it this way, that the destination server reads the allowed ssh keys from privacyIDEA.
The accessing server can the use the private key to login to the destination server.

You can controll via privacyIDEA the public SSH key and thus revoke access by e.g. deleting this key.

The docs have more information about sshkeys. You need a script (somewhere in the repos) on the destination server, that asks privacyIDEA for the allowed pubkeys.

Oh, it is not a destination ssh server but a destination API…?

Can you elaborate on this?

the business case would be:
i have a legacy system ldap dependent. Now, I switch to privacyidea to boost access security.

The system has a webui, where human users can login: i want mfa to be used (totp, push, whatever,)
The system is exposing an API as well. Such endpoint is used by other systems or processes to access information and data. I cannot have a mfa as, obviously, there’s no human presence to approve the requests 24/7. In such case, is there an alternative to SPpass?

It may very well be a naive question! :slight_smile:

If you are in control of the “other systems” (the accessing systems) you could as well implement a TOTP-token in the code of the other systems.

so they would programmatically use a totp? neath!

can you point me to some documentation, examples or libraries to acheive that?