I’ve been testing the push tokens for a little bit. It works great for a /validate/check but I wanted to ensure I was doing the /auth workflow properly.
I need to be able to get the authorization token and here is what I have been doing to get it:
Call /auth endpoint with correct PIN
Receive response that token needs to be confirmed on device
Confirm within privacyIDEA authenticator
Respond to the /auth with a blank PIN (using the challenge/transaction ID from #2)
Authorization token is provided in response
Is this the proper workflow for this or will this change in the future?
My scenario is having a small web application that allows a user to view/edit/set PIN on their own tokens.
For all standard tokens or challenge based it works as follows:
Send PIN to /auth
Receive challenge and send challenge response back to /auth
Receive auth token
For push tokens I have the following setup:
Send PIN to /auth
Display notification to user to accept request on their phone
Poll /token/challenges until it is marked answered or it expires
<What do I do here to get the auth token now that the /token/challenges has been marked answered>
For #4 in the push token, I have been sending back a /auth with a blank PIN after I find the /token/challenges has been answered and it appears to function properly, but I wanted to confirm that this was the proper way to get the auth token.