Validate indexed secret

rob · February 13, 2024, 10:30am

Hello,

I try to use indexed secret. But it doesn’t work. I get the response message: wrong otp pin. This is my test script where I create a indexed secret, trigger a challenge and then try to validate the token.

Do have anyone a clue for me, why this doesn’t work?

    PRIVACYIDEA_URL = "localhost"
    username = "test"

    response = requests.post(
        f"{PRIVACYIDEA_URL}/token/init",
        headers=headers,
        data={
            "type": "indexedsecret",
            "user": username,
        },
    )

    data = response.json()

    serial = data["detail"]["serial"]
    value = data["detail"]["otpkey"]["value"]
    indexes_str = value.replace("seed://", "")

    response = requests.get(
        "{PRIVACYIDEA_URL}/validate/triggerchallenge",
        headers=headers,
        data= {
            "user": username,
            "serial": serial,
        },
    )

    positions = []
    if result := response.json():
        status = result["result"]["status"]
        if status:
            print(result["detail"]["attributes"]["random_positions"])
            positions = result["detail"]["attributes"]["random_positions"]

    index = list(indexes_str)

    token = ""
    for position in positions:
        p = position - 1
        token += f"{index[p]}"

    print(token)

    response = requests.post(
        "{PRIVACYIDEA_URL}/validate/check",
        headers=headers,
        data={
            "pass": token,
            "serial": serial,
            "user": username,
        },
    )

    print(response.json())

nilsbehlen · February 13, 2024, 2:54pm

hi,
you need to send the transactionid you get from the first request with the second so privacyidea knows which challenge you are referencing

rob · February 13, 2024, 3:54pm

Thank you very much!