SPass Token

class privacyidea.lib.tokens.spasstoken.SpassTokenClass(db_token)[source]

This is a simple pass token. It does have no OTP component. The OTP checking will always succeed. Of course, an OTP PIN can be used.

authenticate(passw, user=None, options=None)[source]

in case of a wrong passw, we return a bad matching pin, so the result will be an invalid token

check_otp(otpval, counter=None, window=None, options=None)[source]

As we have no otp value we always return true. (counter == 0)

static get_class_info(key=None, ret='all')[source]

returns a subtree of the token definition Is used by lib.token.get_token_info

  • key (string) – subsection identifier

  • ret (user defined) – default return value, if nothing is found


subsection if key exists or user defined

Return type


static get_class_prefix()[source]
static get_class_type()[source]
static is_challenge_request(passw, user, options=None)[source]

The spass token does not support challenge response :param passw: :param user: :param options: :return:

static is_challenge_response(passw, user, options=None, challenges=None)[source]

This method checks, if this is a request, that is the response to a previously sent challenge.

The default behaviour to check if this is the response to a previous challenge is simply by checking if the request contains a parameter state or transactionid i.e. checking if the options parameter contains a key state or transactionid.

This method does not try to verify the response itself! It only determines, if this is a response for a challenge or not. The response is verified in check_challenge_response.

  • passw (string) – password, which might be pin or pin+otp

  • user (User object) – the requesting user

  • options (dict) – dictionary of additional request parameters


true or false

Return type



Update the token object


param – a dictionary with different params like keysize, description, genkey, otpkey, pin


param: dict