I can not validate challenge: "Response did not match the challenge."

Privacy Idea v3.0
I created a HOTP Token.

I used the validate/triggerchallenge endpoint to created a challenge, I have this request:
Request: https://qa-mfa-privacy-idea.app.apap.com.do/validate/triggerchallenge?serial=OATH00027B13

Response:

{
    "detail": {
        "attributes": null,
        "message": "please enter otp: ",
        "messages": [
            "please enter otp: "
        ],
        "multi_challenge": [
            {
                "attributes": null,
                "message": "please enter otp: ",
                "serial": "OATH00027B13",
                "transaction_id": "02265202384116192764",
                "type": "hotp"
            }
        ],
        "serial": "OATH00027B13",
        "threadid": 139726082967360,
        "transaction_id": "02265202384116192764",
        "transaction_ids": [
            "02265202384116192764"
        ],
        "type": "hotp"
    },
    "id": 1,
    "jsonrpc": "2.0",
    "result": {
        "status": true,
        "value": 1
    },
    "time": 1558559941.6664152,
    "version": "privacyIDEA unknown",
    "versionnumber": "unknown",
    "signature": "rsa_sha256_pss:4d2589a72dd025973fdf8771d3db41beee77373b5c980148ca6cac80467189995a2aebcd158eaf3f9135cc7306c05b5d5a8a13705841d8b82ddc7c142e005adf6a648b2d886b1ee158a89ec90a2c70d8a51c625ad68d796361b783953ea5450c422276f3936a71eb11b8b5d606394a9de3206a75cf62b90b1e259a92c9507cad3fea1783dfca19c968048f4ecc6bed4813ee871c1b4bd72d08363bd9e5188bfd3751f8ae6f8623fe91204f34ddb1fb02fc2662e942c3eb130c73cfa6974833bd68a3946685733ad2300c8077e9df5233e68ffd83740c77598de57235b1586fef451b0c59e26e99804847ed44c093df945e8c5e21d790107ab5e135277f655a7e"
}

When I want to validate previus challenge I use validate/check endpoint, but I always received the next response: “Response did not match the challenge.”. I used this request:

Request Body:

{
	"serial":"OATH00027B13",
	"transaction_id":"02265202384116192764",
	 "pass":"secret404872"
}

Response:

{
    "detail": {
        "message": "Response did not match the challenge.",
        "serial": "OATH00027B13",
        "threadid": 139726082967360,
        "type": "hotp"
    },
    "id": 1,
    "jsonrpc": "2.0",
    "result": {
        "status": true,
        "value": false
    },
    "time": 1558559970.1846201,
    "version": "privacyIDEA unknown",
    "versionnumber": "unknown",
    "signature": "rsa_sha256_pss:7f30bea6e28085034f5465bfeb90332609fc52c38d48a49780e95f3ce652bb09c3be6d71ce03b323395eda6cd6c6888d1fc511402fcd206ce6891e6f6b234c16429e9becf4abb09bd16ed24d3162544a34a3da9451556503c3629035970edae5855d87ee7e50f3ab5672bc3e674044108f11c2b77365cef864b572fb0bd852c35b4592c6f96510e892ed05c0836478f2a5c56672ebf1b8fc114d17cbd432e3e2075b4c84f0327dfb15a192a2935fdad1d720d53f7333315c7468087590f6eeff76241843464b61bbd97b8e6a52c24862a7ca97aa4f53aaab2da118d026b45fc418d22e3aa104b22b485a1fa6f13d1c1d0e544dd887912d95be64412bb8fca9d4"
}

I need your help with this mistake.

Hello and welcome to privacyIDEA!

Your response must not contain the secret! only

“pass”:“404872”

The idea of the general challenge response is, that the user initially sends his pin (“secret”) and then in a second step only sends his otp value (“404872”). These two http requests are bound togeather by the transaction_id.

The idea of the triggerchallenge is, that there are scenarios, where the user can not send his pin.
So you call and administrative triggerchallenge, which replaces the creation of the challenge by the pin.
Still, in the second http request you only need to send the pin the OTP value.

I think You meant to say “in the second http request you only need to send the OTP value”?

Of course, your know! :wink:

Hello!!

Thank you, but still I have a doubt:

After generated the challenge I used the validate/check endpoint and I`m getting the following response with the error of ¨Wrong otp pin¨:

request:

 {
        "serial":"OATH00114088",
         "pass":"secret"
}

response:

{
   "detail":{
      "message":"wrong otp pin",
      "threadid":139726082967360
   },
   "id":1,
   "jsonrpc":"2.0",
   "result":{
      "status":true,
      "value":false
   },
   "time":1558640479.107572,
   "version":"privacyIDEA unknown",
   "versionnumber":"unknown",
   "signature":"rsa_sha256_pss:8ea..."
}

Thank you in advance.

Regards,

1 Like

This is the correct response.
Read my previous post in regards to the transaction_id or
https://privacyidea.readthedocs.io/en/latest/modules/api/validate.html#post--validate-check
and then tell me, at which point exactly we have to improve the documentation.
Thanks a lot.