OCRA Token

The OCRA token is the base OCRA functionality. Usually it is created by importing a CSV or PSKC file.

This code is tested in tests/test_lib_tokens_tiqr. Implementation

class privacyidea.lib.tokens.ocratoken.OcraTokenClass(db_token)[source]

The OCRA Token Implementation

Create a new OCRA Token object from a database object


db_token (DB object) – instance of the orm db object

check_otp(otpval, counter=None, window=None, options=None)[source]

This function is invoked by TokenClass.check_challenge_response and checks if the given password matches the expected response for the given challenge.

  • otpval – the password (pin + otp)

  • counter – ignored

  • window – ignored

  • options – dictionary that must contain “challenge”


>=0 if the challenge matches, -1 otherwise

create_challenge(transactionid=None, options=None)[source]

This method creates a challenge, which is submitted to the user. The submitted challenge will be preserved in the challenge database.

If no transaction id is given, the system will create a transaction id and return it, so that the response can refer to this transaction.

  • transactionid – the id of this challenge

  • options (dict) – the request context parameters / data


tuple of (bool, message, transactionid, reply_dict)

Return type


The return tuple builds up like this: bool if submit was successful; message which is displayed in the JSON response; additional challenge reply_dict, which are displayed in the JSON challenges response.

static get_class_info(key=None, ret='all')[source]

returns a subtree of the token definition

  • key (string) – subsection identifier

  • ret (user defined) – default return value, if nothing is found


subsection if key exists or user defined

Return type

dict or scalar

static get_class_prefix()[source]

Return the prefix, that is used as a prefix for the serial numbers. :return: OCRA :rtype: basestring

static get_class_type()[source]

Returns the internal token type identifier :return: ocra :rtype: basestring

static get_import_csv(l)[source]

Read the list from a csv file and return a dictionary, that can be used to do a token_init.


l (list) – The list of the line of a csv file


A dictionary of init params

is_challenge_request(passw, user=None, options=None)[source]

check, if the request would start a challenge In fact every Request that is not a response needs to start a challenge request.

At the moment we do not think of other ways to trigger a challenge.

This function is not decorated with


as the OCRA token is always a challenge response token!

  • passw – The PIN of the token.

  • options – dictionary of additional request parameters


returns true or false


This method is called during the initialization process.


param (dict) – parameters from the token init



verify_response(passw=None, challenge=None)[source]

This method verifies if the passw is the valid OCRA response to the challenge. In case of success we return a value > 0


passw (string) – the password (pin+otp)


return otp_counter. If -1, challenge does not match

Return type