Hello, Cornelius
> Thank you, I moved one step forward.
> Now I'm trying to check is user really has SMS token
configured when
> he press "Get SMS" button (which uses /validate/check url
).
>
> For user with disabled SMS token I'm still getting:
> "detail": {"message": "Enter the OTP from the SMS:"},
"versionnumber":
> "2.9", "version": "privacyIDEA
> 2.9", "result": {"status": true, "value": false}, "time":
> 1453372931.413365, "id": 1}
If the SMS token is disabled the SMS should not be sent.
Since
authentication will not work anyway. Do you receive an SMS?
Maybe we might have to do a small fix here.
No SMS were not send. But our login script would be confusing for
users during login process, with this message from privacyIDEA )
You may check for the transaction_id.
Meanwhile, I will see to not return detail->message if the token is
inactive.
>
> For user without SMS tokens response are same as for user
with wrong
> password:
> "detail": {"message": "wrong otp pin"}, "versionnumber":
"2.9",
> "version": "privacyIDEA 2.9", "result"
> : {"status": true, "value": false}, "time":
1453373017.457972, "id":
> 1}
I assume the user has another token and thus you get this
response.
Yes.
That is the reason why.
>
> As far as I understand I should stick on status-value pairs
for all
> checks via API, but what condition should be used to tell
that user
> has no option to get SMS and hide "Get SMS" button for him
after first
> try?
There is no simple way to receive this information.
In fact it would leak information for the attacker, wouldn't
it?
Well, since privacyIDEA has polices may be it would be possible to has
some trusted subnet for internal users or something like this.
BTW, is it possible to have additional key for API to specify real
user IP? Same thing as mod_rpaf for Apache do, when it sitting behind
Nginx. In current configuration I’m planning to hide privacyIDE check
url and restrict it for all, except server with TFA login page. So all
requests to check would be arrive from single IP address.
You did not explain your setup and I do not understand it.
Please take a look at the services for specific consultancy.
https://netknights.it/en/leistungen/support/
Kind regards
CorneliusAm Montag, den 25.01.2016, 01:28 -0800 schrieb MKS:
On Monday, January 25, 2016 at 10:45:53 AM UTC+2, Cornelius Kölbel wrote:
Am Donnerstag, den 21.01.2016, 02:59 -0800 schrieb MKS:
–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/f15b75b7-e6e0-4867-b357-a0f865ac2e38%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
signature.asc (836 Bytes)