Login Parameters

The handler expects the token with key token.

Configuration Parameters

type

Name of the authenticaton class, must be OneTimePassword

salt

To hide the plain tokens from database admins, the datapool key is the salted and hashed token. This defines the used salt and is the only mandatory parameter for the handler.

role, optional

Set a fixed role for this login handler, if not set the role must be passed in the datapool item.

namespace, optional

The string used as namespace to lookup the datapool items, the default is sys.auth.otp.

permanent, optional

If set to a true value, the OTP is not purged after the login was successful.

Datapool Item

Realm and token expiration is controlled via the properties of the datapool item, the user, role and token type are read from the value held in the datapool. The value must be a (serialized) hash.

user

The username to use

role

The role to set, only effective if the handler has not set a role.

...

The remaining hash is set as userinfo.

Example Configuration

Create a stack with type password and a single input field.

  stack:
    OTP:
      label: OneTimePassword
      handler: OneTimePassword
      type: passwd
      param:
        label: I18N_OPENXPKI_UI_OTP_LOGIN_LABEL
        description: I18N_OPENXPKI_UI_OTP_LOGIN_DESC
        button: I18N_OPENXPKI_UI_OTP_LOGIN_BUTTON
        field:
            - name: token
            label: I18N_OPENXPKI_UI_LOGIN_TOKEN
            type: password
  handler:
    OneTimePassword:
      type: OneTimePassword
      salt: openxpki
      role: User