Is the WebUI login taking into account authorization policies?


I would like to achieve the following:

  • users accessing the webUI from internal network are allowed to use any token they have configured
  • users accessing the webUI from outside are allowed to use only a token of type sms

So far, I have a WebUI policy with login_mode set to privacyIDEA and no IP associated to it. This means that anyone (but the admin) needs to provide an OTP to login in the web interface of PI. Perfect.

Now, as a first test, I created an authorization policy with tokentype set to sms and placed as Client the IP of my computer. Still I could log in the WebUI of PI with a paper-based token.

Thus I am wondering if the WebUI access is honouring authorization policies (and authentication policies as well).
Could anyone provide me with some information about it?

I am running version 2.22

Thank you in advance.

Best regards,
Paul Hasenohr

Hello Paul,
welcome back.
Interesting question!

The endpoint validate/check uses the policy for the tokentype:

The login for the webui is the /auth endpoint here:

which for reasons not decorated with the policy decorater.

The webui is then is checked here:

So to answer your questions, no these policies are not checked.


Hello Cornelius,

Thanks a lot for your prompt reply.
Would it require a significant amount of work to make it possible and do you think that other users would be interested in such a feature?

Best regards,


significant is an interesting word. The answer to your second question is probably “yes”.

See here:

Thanks for having opened an issue about it with a milestone associated to it!
And my apologies for this late answer.