15.2.1.2.1. 4 Eyes Token

class privacyidea.lib.tokens.foureyestoken.FourEyesTokenClass(db_token)[source]

The FourEyes token can be used to implement the Two Man Rule. The FourEyes token defines how many tokens of which realms are required like:

  • 2 tokens of RealmA

  • 1 token of RealmB

Then users (the owners of those tokens) need to login by everyone entering their OTP PIN and OTP value. It does not matter, in which order they enter the values. All their PINs and OTPs are concatenated into one password field but need to be separated by the splitting sign.

The FourEyes token again splits the password value and tries to authenticate each of the these passwords in the realms using the function check_realm_pass.

The FourEyes token itself does not provide an OTP PIN.

The token is initialized using additional parameters at token/init:

Example Authentication Request:

POST /auth HTTP/1.1
Host: example.com
Accept: application/json

type=4eyes
user=cornelius
realm=realm1
4eyes=realm1:2,realm2:1
separator=%20
Parameters

db_token (database token object) – the token

authenticate(passw, user=None, options=None)[source]

do the authentication on base of password / otp and user and options, the request parameters.

Here we contact the other privacyIDEA server to validate the OtpVal.

Parameters
  • passw – the password / otp

  • user – the requesting user

  • options – the additional request parameters

Returns

tuple of (success, otp_count - 0 or -1, reply)

check_challenge_response(user=None, passw=None, options=None)[source]

This method verifies if the given response is the PIN + OTP of one of the remaining tokens. In case of success it then returns 1

Parameters
  • user (User object) – the requesting user

  • passw (string) – the password: PIN + OTP

  • options (dict) – additional arguments from the request, which could be token specific. Usually “transaction_id”

Returns

return 1 if the answer to the challenge is correct, -1 otherwise.

Return type

int

static convert_realms(realms)[source]

This function converts the realms as given by the API parameter to a dictionary:

"realm1:2,realm2:1" -> {"realm1":2,
                        "realm2":1}
Parameters

realms (str) – a serialized list of realms

Returns

dict of realms

Return type

dict

create_challenge(transactionid=None, options=None)[source]

This method creates a challenge, which is submitted to the user. The submitted challenge will be preserved in the challenge database.

If no transaction id is given, the system will create a transaction id and return it, so that the response can refer to this transaction.

Parameters
  • transactionid – the id of this challenge

  • options (dict) – the request context parameters / data

Returns

tuple of (bool, message, transactionid, reply_dict)

Return type

tuple

The return tuple builds up like this: bool if submit was successful; message which is displayed in the JSON response; additional challenge reply_dict, which are displayed in the JSON challenges response.

static get_class_info(key=None, ret='all')[source]

returns a subtree of the token definition

Parameters
  • key (string) – subsection identifier

  • ret (user defined) – default return value, if nothing is found

Returns

subsection if key exists or user defined

Return type

dict or scalar

static get_class_prefix()[source]

return the token type prefix

static get_class_type()[source]

return the class type identifier

has_further_challenge(options=None)[source]

Check if there are still more tokens to be authenticated :param options: Options dict :return: True, if further challenge is required.

is_challenge_request(passw, user=None, options=None)[source]

The 4eyes token can act as a challenge response token.

Either
  • if the first passw given is the PIN of the 4eyes token or

  • if the first passw given is the complete PIN+OTP from one of the admintokens.

Parameters
  • passw (str) – password, which might be pin or pin+otp

  • user (User object) – The user from the authentication request

  • options (dict) – dictionary of additional request parameters

Returns

true or false

Return type

bool

static realms_dict_to_string(realms)[source]

This function converts the realms - if it is a dictionary - to a string:

{"realm1": {"selected": True,
            "count": 1 },
 "realm2": {"selected": True,
            "count": 2}}
                            -> "realm1:1,realm2:2"
Parameters

realms (dict) – the realms as they are passed from the WebUI

Returns

realms

Return type

str

update(param)[source]

This method is called during the initialization process. :param param: parameters from the token init :type param: dict :return: None