OCRA Token

The OCRA token is the base OCRA functionality. Usually it is created by importing a CSV or PSKC file.

This code is tested in tests/test_lib_tokens_tiqr. Implementation

class privacyidea.lib.tokens.ocratoken.OcraTokenClass(db_token)[source]

The OCRA Token Implementation

check_otp(otpval, counter=None, window=None, options=None)[source]

This function is invoked by TokenClass.check_challenge_response and checks if the given password matches the expected response for the given challenge.

  • otpval – the password (pin + otp)
  • counter – ignored
  • window – ignored
  • options – dictionary that must contain “challenge”

>=0 if the challenge matches, -1 otherwise

create_challenge(transactionid=None, options=None)[source]

This method creates a challenge, which is submitted to the user. The submitted challenge will be preserved in the challenge database.

If no transaction id is given, the system will create a transaction id and return it, so that the response can refer to this transaction.

  • transactionid – the id of this challenge
  • options (dict) – the request context parameters / data

tuple of (bool, message, transactionid, attributes)

Return type:


The return tuple builds up like this: bool if submit was successful; message which is displayed in the JSON response; additional attributes, which are displayed in the JSON response.

static get_class_info(key=None, ret='all')[source]

returns a subtree of the token definition

  • key (string) – subsection identifier
  • ret (user defined) – default return value, if nothing is found

subsection if key exists or user defined

Return type:

dict or scalar

static get_class_prefix()[source]

Return the prefix, that is used as a prefix for the serial numbers. :return: OCRA :rtype: basestring

static get_class_type()[source]

Returns the internal token type identifier :return: ocra :rtype: basestring

is_challenge_request(passw, user=None, options=None)[source]

check, if the request would start a challenge In fact every Request that is not a response needs to start a challenge request.

At the moment we do not think of other ways to trigger a challenge.

This function is not decorated with

as the OCRA token is always a challenge response token!

  • passw – The PIN of the token.
  • options – dictionary of additional request parameters

returns true or false


This method is called during the initialization process.

Parameters:param (dict) – parameters from the token init
verify_response(passw=None, challenge=None)[source]

This method verifies if the passw is the valid OCRA response to the challenge. In case of success we return a value > 0

Parameters:passw (string) – the password (pin+otp)
Returns:return otp_counter. If -1, challenge does not match
Return type:int