14.2.1.2.1. 4 Eyes Token¶
-
class
privacyidea.lib.tokens.foureyestoken.
FourEyesTokenClass
(db_token)[source]¶ The FourEyes token can be used to implement the Two Man Rule. The FourEyes token defines how many tokens of which realms are required like: * 2 tokens of RealmA * 1 token of RealmB
Then users (the owners of those tokens) need to login by everyone entering their OTP PIN and OTP value. It does not matter, in which order they enter the values. All their PINs and OTPs are concatenated into one password field but need to be separated by the splitting sign.
The FourEyes token again splits the password value and tries to authenticate each of the these passwords in the realms using the function
check_realm_pass
.The FourEyes token itself does not provide an OTP PIN.
The token is initialized using additional parameters at token/init:
Example Authentication Request:
POST /auth HTTP/1.1 Host: example.com Accept: application/json type=4eyes user=cornelius realm=realm1 4eyes=realm1:2,realm2:1 separator=%20
-
authenticate
(passw, user=None, options=None)[source]¶ do the authentication on base of password / otp and user and options, the request parameters.
Here we contact the other privacyIDEA server to validate the OtpVal.
Parameters: - passw – the password / otp
- user – the requesting user
- options – the additional request parameters
Returns: tuple of (success, otp_count - 0 or -1, reply)
-
static
convert_realms
(realms)[source]¶ This function converts the realms as given by the API parameter to a dictionary.
- realm1:2,realm2:1 -> {“realm1”:2,
- “realm2”:1}
Parameters: realms (basestring) – a serialized list of realms Returns: dict of realms
-
static
get_class_info
(key=None, ret='all')[source]¶ returns a subtree of the token definition
Parameters: - key (string) – subsection identifier
- ret (user defined) – default return value, if nothing is found
Returns: subsection if key exists or user defined
Return type: dict or scalar
-
static
realms_dict_to_string
(realms)[source]¶ This function converts the realms - if it is a dictionary - to a string.
- {“realm1”: {“selected”: True,
- “count”: 1 },
- “realm2”: {“selected”: True,
- “count”: 2} -> realm1:1,realm2:2
Parameters: realms (dict) – the realms as they are passed from the WebUI Returns: realms Return type: basestring
-