16.2.1.2.10. Push Token¶
-
class
privacyidea.lib.tokens.pushtoken.
PushTokenClass
(db_token)[source]¶ The PUSH token uses the firebase service to send challenges to the users smartphone. The user confirms on the smartphone, signes the challenge and sends it back to privacyIDEA.
The enrollment occurs in two enrollment steps:
# Step 1
The device is enrolled using a QR code, that looks like this:
otpauth://pipush/PIPU0006EF85?url=https://yourprivacyideaserver/enroll/this/token&ttl=120
# Step 2
In the QR code is a URL, where the smartphone sends the remaining data for the enrollment.
- POST https://yourprivacyideaserver/ttype/push
- enrollment_credential=<some credential> serial=<token serial> fbtoken=<firebase token> pubkey=<public key>
For more information see: https://github.com/privacyidea/privacyidea/issues/1342 https://github.com/privacyidea/privacyidea/wiki/concept%3A-PushToken
-
classmethod
api_endpoint
(request, g)[source]¶ This provides a function which is called by the API endpoint /ttype/push which is defined in api/ttype.py
- The method returns
- return “json”, {}
This endpoint is used for the 2nd enrollment step of the smartphone. Parameters sent:
- serial
- fbtoken
- pubkey
This endpoint is also used, if the smartphone sends the signed response to the challenge during authentication Parameters sent:
- serial
- nonce (which is the challenge)
- signature (which is the signed nonce)
Parameters: - request – The Flask request
- g – The Flask global object g
Returns: dictionary
-
check_challenge_response
(user=None, passw=None, options=None)[source]¶ This function checks, if the challenge for the given transaction_id was marked as answered correctly. For this we check the otp_status of the challenge with the transaction_id in the database.
We do not care about the password
Parameters: - user (User object) – the requesting user
- passw (string) – the password (pin+otp)
- options (dict) – additional arguments from the request, which could be token specific. Usually “transaction_id”
Returns: return otp_counter. If -1, challenge does not match
Return type: int
-
create_challenge
(transactionid=None, options=None)[source]¶ This method creates a challenge, which is submitted to the user. The submitted challenge will be preserved in the challenge database.
If no transaction id is given, the system will create a transaction id and return it, so that the response can refer to this transaction.
Parameters: - transactionid – the id of this challenge
- options (dict) – the request context parameters / data
Returns: tuple of (bool, message, transactionid, attributes)
Return type: tuple
The return tuple builds up like this:
bool
if submit was successful;message
which is displayed in the JSON response; additionalattributes
, which are displayed in the JSON response.
-
static
get_class_info
(key=None, ret='all')[source]¶ returns all or a subtree of the token definition
Parameters: - key (str) – subsection identifier
- ret (user defined) – default return value, if nothing is found
Returns: subsection if key exists or user defined
:rtype : s.o.
-
get_init_detail
(params=None, user=None)[source]¶ This returns the init details during enrollment.
In the 1st step the QR Code is returned.
-
is_challenge_request
(passw, user=None, options=None)[source]¶ check, if the request would start a challenge
We need to define the function again, to get rid of the is_challenge_request-decorator of the base class
Parameters: - passw – password, which might be pin or pin+otp
- options – dictionary of additional request parameters
Returns: returns true or false
-
update
(param, reset_failcount=True)[source]¶ process the initialization parameters
We need to distinguish the first authentication step and the second authentication step.
- step:
- parameter type contained. parameter genkey contained.
- step:
- parameter serial contained parameter fbtoken contained parameter pubkey contained
Parameters: param (dict) – dict of initialization parameters Returns: nothing