4 Eyes Token

class privacyidea.lib.tokens.foureyestoken.FourEyesTokenClass(db_token)[source]

The FourEyes token can be used to implement the Two Man Rule. The FourEyes token defines how many tokens of which realms are required like: * 2 tokens of RealmA * 1 token of RealmB

Then users (the owners of those tokens) need to login by everyone entering their OTP PIN and OTP value. It does not matter, in which order they enter the values. All their PINs and OTPs are concatenated into one password field but need to be separated by the splitting sign.

The FourEyes token again splits the password value and tries to authenticate each of the these passwords in the realms using the function check_realm_pass.

The FourEyes token itself does not provide an OTP PIN.

The token is initialized using additional parameters at token/init:

Example Authentication Request:

POST /auth HTTP/1.1
Host: example.com
Accept: application/json

authenticate(passw, user=None, options=None)[source]

do the authentication on base of password / otp and user and options, the request parameters.

Here we contact the other privacyIDEA server to validate the OtpVal.

  • passw – the password / otp
  • user – the requesting user
  • options – the additional request parameters

tuple of (success, otp_count - 0 or -1, reply)

static convert_realms(realms)[source]

This function converts the realms as given by the API parameter to a dictionary.

realm1:2,realm2:1 -> {“realm1”:2,
Parameters:realms (basestring) – a serialized list of realms
Returns:dict of realms
static get_class_info(key=None, ret='all')[source]

returns a subtree of the token definition

  • key (string) – subsection identifier
  • ret (user defined) – default return value, if nothing is found

subsection if key exists or user defined

Return type:

dict or scalar

static get_class_prefix()[source]

return the token type prefix

static get_class_type()[source]

return the class type identifier

static realms_dict_to_string(realms)[source]

This function converts the realms - if it is a dictionary - to a string.

{“realm1”: {“selected”: True,
“count”: 1 },
“realm2”: {“selected”: True,
“count”: 2} -> realm1:1,realm2:2
Parameters:realms (dict) – the realms as they are passed from the WebUI
Return type:basestring

This method is called during the initialization process. :param param: parameters from the token init :type param: dict :return: None