REST API tokens

Question
1

Hi, I’m trying to understand how to use API tokens. When I’m sending a POST request:

curl --header "Content-Type: application/json" \
--request POST \
--data '{"username":"admin","password":"admin"}' \
https://privacyidea.com/auth -k

I’m getiing a response:

{"id": 1, "jsonrpc": "2.0", "result": {"status": true, "value": {"log_level": 20, "menus": ["components", "audit", "users", "tokens", "machines", "config"], "realm": "", "rights": ["enable", "disable", "set", "setpin", "setrandompin", "settokeninfo", "enrollpin", "res
ync", "reset", "revoke", "assign", "unassign", "importtokens", "delete", "userlist", "machinelist", "manage_machine_tokens", "fetch_authentication_items", "tokenrealms", "tokenlist", "getserial", "getrandom", "copytokenpin", "copytokenuser", "losttoken", "configwrite"
, "configdelete", "configread", "system_documentation", "policywrite", "policydelete", "policyread", "resolverwrite", "resolverdelete", "resolverread", "caconnectorwrite", "caconnectordelete", "caconnectorread", "mresolverwrite", "mresolverdelete", "mresolverread", "o
tp_pin_maxlength", "otp_pin_minlength", "otp_pin_contents", "otp_pin_set_random", "auditlog", "auditlog_age", "auditlog_download", "adduser", "updateuser", "deleteuser", "set_hsm_password", "getchallenges", "smtpserver_write", "smtpserver_read", "radiusserver_write", 
"radiusserver_read", "privacyideaserver_write", "privacyideaserver_read", "periodictask_write", "periodictask_read", "statistics_read", "statistics_delete", "eventhandling_write", "eventhandling_read", "smsgateway_write", "smsgateway_read", "clienttype", "managesubscr
iption", "triggerchallenge", "enrollSPASS", "spass_otp_pin_maxlength", "spass_otp_pin_minlength", "spass_otp_pin_contents", "enrollINDEXEDSECRET", "indexedsecret_force_attribute", "enrollTAN", "enrollVASCO", "enrollQUESTION", "enroll4EYES", "enrollPUSH", "enrollDAPLUG
", "enrollYUBIKEY", "enrollSMS", "sms_gateways", "enrollWEBAUTHN", "enrollTIQR", "enrollOCRA", "enrollPW", "enrollSSHKEY", "enrollCERTIFICATE", "enrollRADIUS", "enrollMOTP", "enrollYUBICO", "enrollTOTP", "totp_timestep", "totp_hashlib", "totp_otplen", "totp_2step", "e
nrollREMOTE", "enrollPAPER", "enrollU2F", "enrollHOTP", "hotp_hashlib", "hotp_otplen", "hotp_2step", "enrollEMAIL", "enrollREGISTRATION"], "role": "admin", "token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwicmVhbG0iOiIiLCJub25jZSI6ImM4MDRlOWU5Y
jJiNTE3NGY0Y2E1MGQ1MjNlYjg3YzIxNDdjYmZjZDciLCJyb2xlIjoiYWRtaW4iLCJhdXRodHlwZSI6InBhc3N3b3JkIiwiZXhwIjoxNTg2NDU2OTA0LCJyaWdodHMiOlsiZW5hYmxlIiwiZGlzYWJsZSIsInNldCIsInNldHBpbiIsInNldHJhbmRvbXBpbiIsInNldHRva2VuaW5mbyIsImVucm9sbHBpbiIsInJlc3luYyIsInJlc2V0IiwicmV2b2tlIiwiY
XNzaWduIiwidW5as3NpZ24iLCJpbXBvcnR0b2tlbnMiLCJkZWxldGUiLCJ1c2VybGlzdCIsIm1hY2hpbmVsaXN0IiwibWFuYWdlX21hY2hpbmVfdG9rZW5zIiwiZmV0Y2hfYXV0aGVudGljYXRpb25faXRlbXMiLCJ0b2tlbnJlYWxtcyIsInRva2VubGlzdCIsImdldHNlcmlhbCIsImdldHJhbmRvbSIsImNvcHl0b2tlbnBpbiIsImNvcHl0b2tlbnVzZXIiL
CJsb3N0dG9rZW4iLCJjb25maWd3cml0ZSIsImNvbmZpZ2RlbGV0ZSIsImNvbmZpZ3JlYWQiLCJzeXN0ZW1fZG9jdW1lbnRhdGlvbiIsInBvbGljeXdyaXRlIiwicG9saWN5ZGVsZXRlIiwicG9saWN5cmVhZCIsInJlc29sdmVyd3JpdGUiLCJyZXNvbHZlcmRlbGV0ZSIsInJlc29sdmVycmVhZCIsImNhY29ubmVjdG9yd3JpdGUiLCJjYWNvbm5lY3RvcmRlb
GV0ZSIsImNhY29ubmVjdG9ycmVhZCIsIm1yZXNvbHZlcndyaXRlIiwibXJlc29sdmVyZGVsZXRlIiwibXJlc29sdmVycmVhZCIsIm90cF9waW5fbWF4bGVuZ3RoIiwib3RwX3Bpbl9taW5sZW5ndGgiLCJvdHBfcGluX2NvbnRlbnRzIiwib3RwX3Bpbl9zZXRfcmFuZG9tIiwiYXVkaXRsb2ciLCJhdWRpdGxvZ19hZ2UiLCJhdWRpdGxvZ19kb3dubG9hZCIsI
mFkZHVzZXIiLCJ1cGRhdGV1c2VyIiwiZGVsZXRldXNlciIsInNldF9oc21fcGFzc3dvcmQiLCJnZXRjaGFsbGVuZ2VzIiwic210cHNlcnZlas93cml0ZSIsInNtdHBzZXJ2ZXJfcmVhZCIsInJhZGl1c3NlcnZlcl93cml0ZSIsInJhZGl1c3NlcnZlcl9yZWFkIiwicHJpdmFjeWlkZWFzZXJ2ZXJfd3JpdGUiLCJwcml2YWN5aWRlYXNlcnZlcl9yZWFkIiwic
GVyaW9kaWN0YXNrX3dyaXRlIiwicGVyaW9kaWN0YXNrX3JlYWQiLCJzdGF0aXN0aWNzX3JlYWQiLCJzdGF0aXN0aWNzX2RlbGV0ZSIsImV2ZW50aGFuZGxpbmdfd3JpdGUiLCJldmVudGhhbmRsaW5nX3JlYWQiLCJzbXNnYXRld2F5X3dyaXRlIiwic21zZ2F0ZXdheV9yZWFkIiwiY2xpZW50dHlwZSIsIm1hbmFnZXN1YnNjcmlwdGlvbiIsInRyaWdnZXJja
GFsbGVuZ2UiLCJlbnJvbGxTUEFTUyIsInNwYXNzX290cF9waW5fbWF4bGVuZ3RoIiwic3Bhc3Nfb3RwX3Bpbl9taW5sZW5ndGgiLCJzcGFzc19vdHBfcGluX2NvbnRlbnRzIiwiZW5yb2xsSU5ERVhFRFNFQ1JFVCIsImluZGV4ZWRzZWNyZXRfZm9yY2VfYXR0cmlidXRlIiwiZW5yb2xsVEFOIiwiZW5yb2xsVkFTQ08iLCJlbnJvbGxRVUVTVElPTiIsImVuc
m9sbDRFWUVTIiwiZW5yb2xsUFVTSCIsImVuam9sbERBUExVRyIsImVucm9sbFlVQklLRVkiLCJlbnJvbGxTTVMiLCJzbXNfZ2F0ZXdheXMiLCJlbnJvbGxXRUJBVVRITiIsImVucm9sbFRJUVIiLCJlbnJvbGxPQ1JBIiwiZW5yb2xsUFciLCJlbnJvbGxTU0hLRVkiLCJlbnJvbGxDRVJUSUZJQ0FURSIsImVucm9sbFJBRElVUyIsImVucm9sbE1PVFAiLCJlb
nJvbGxZVUJJQ08iLCJlbnJvbGxUT1RQIiwidG90cF90aW1lc3RlcCIsInRvdHBfaGFzaGxpYiIsInRvdHBfb3RwbGVuIiwidG90cF8yc3RlcCIsImVucm9sbFJFTU9URSIsImVucm9sbFBBUEVSIiwiZW5yb2xsVTJGIiwiZW5yb2xsSE9UUCIsImhvdHBfaGFzaGxpYiIsImhvdHBfb3RwbGVuIiwiaG90cF8yc3RlcCasmVucm9sbEVNQUlMIiwiZW5yb2xsU
kVHSVNUUkFUSU9OIl19.UnHeH6LnKyXUevIpBCOfvcc2sdVyKG6VTuB0t_7Ei4w", "username": "admin", "logout_time": 120, "token_page_size": 15, "user_page_size": 15, "policy_template_url": "https://raw.githubusercontent.com/privacyidea/policy-templates/master/templates/", "default_
tokentype": "hotp", "user_details": false, "token_wizard": false, "token_wizard_2nd": false, "dialog_no_token": false, "search_on_enter": false, "timeout_action": "lockscreeen", "hide_welcome": true, "hide_buttons": false, "show_seed": false, "subscription_status": 0,
 "qr_image_android": null, "qr_image_ios": null, "qr_image_custom": null}}, "time": 1586453304.2392302, "version": "privacyIDEA 3.3", "versionnumber": "3.3", "signature": "rsa_sha256_pss:a0c737d2dc4c725ca11b264c645a84ce3160f6af885e1810500e59c4e1938318f36dc01112dee58as
20e4d1a8cab5b2bcc60111cb678739a61f99e020ad39bbae3998792c35ec10fcba68099b3ad245da7226dbc880d15a6b4ff19526bfb894d91d0471ab62f6f33e7f9560afc44dd2ebbf8b453da876fcccded271930565397c01153a6f95db9043a260da12380d3a25e510457cce7cfeb4f88f29b98a91cfa9a22aede2f6f98f5e20c6ce0f26e48
8529bc3657b873d195662fd97ba5c77b4asc52beb00098b3afd244ef67c8821c0b55c47ed29271ba491353a158b20fbd4ccb4a2dbd6ffee38c6d472667eff80019abeca7da2f3ddfb49db004dafd648c31d"}

Could you please provide an examlpes how to use auth token for futher requests. Thanks

2

This is noted in the documentation:

https://privacyidea.readthedocs.io/en/latest/modules/api/auth.html#post--auth

3

I would like to use the token (Auth-Token) created for the API as shown below however, this is not covered in the document. Are we only supposed to use a plaintext username and password?

pi-manage api createtoken -R allusers -d 365 -r admin
Username: c3ea9e899e516b3e6eefa19f084dedb18775d8cf
Realm: allusers
Role: admin
Validity: 365 days
Auth-Token: b’eyJ0eXAiO…

Any help you can provide with be most helpful.

Thanks,
-Jeff

4

Hi @ramsayj74
welcome to the privacyIDEA community.

Actually, this is covered in the above mentioned link.
You only need to read till the end!

5

Well, I am not sure what I am doing wrong because I keep getting HTTP 401 / “Authentication failure. Wrong credentials” with a simple curl command. Maybe, you can answer this for me, what is the “credentials of the user” from the createapi option? I am using the Auth-Token as presented.

curl -iL
-H ‘Accept: application/json’
-H ‘Content-type: application/json’
-d ‘{“username”:“apiadmin”,“password”:"b’eyJ0eXAi…kHqA’",“realm”:“administrators”}’
-X POST https://pi.foo.edu/auth

Thanks,
-Jeff

6

The pi-manage api createtoken is basically the same as calling the /auth endpoint.
You call restricted API functions with the token in the Authentication header of the request. An example is shown at the end of the page as @cornelinux pointed out.

7

Hello -

I was able to figure this out. The part that was not clear to me is that the api createtoken username had to match an existing user.

Thanks for the feedback.

-Jeff