Name

OpenXPKI::Server::Authentication::OneTimePassword

Description

Provides an authentication handler for One Time Passwords based on datapool items.

Login Parameters

The handler expects the token with key token.

Configuration Parameters

type: Name of the authenticaton class, must be OneTimePassword
salt: To hide the plain tokens from database admins, the datapool key is the salted and hashed token. This defines the used salt and is the only mandatory parameter for the handler.
role, optional: Set a fixed role for this login handler, if not set the role must be passed in the datapool item.
namespace, optional: The string used as namespace to lookup the datapool items, the default is sys.auth.otp.
permanent, optional: If set to a true value, the OTP is not purged after the login was successful.

Datapool Item

Realm and token expiration is controlled via the properties of the datapool item, the user, role and token type are read from the value held in the datapool. The value must be a (serialized) hash.

user: The username to use
role: The role to set, only effective if the handler has not set a role.
...: The remaining hash is set as userinfo.

Example Configuration

Create a stack with type password and a single input field.

  stack:
    OTP:
      label: OneTimePassword
      handler: OneTimePassword
      type: passwd
      param:
        label: I18N_OPENXPKI_UI_OTP_LOGIN_LABEL
        description: I18N_OPENXPKI_UI_OTP_LOGIN_DESC
        button: I18N_OPENXPKI_UI_OTP_LOGIN_BUTTON
        field:
            - name: token
            label: I18N_OPENXPKI_UI_LOGIN_TOKEN
            type: password

  handler:
    OneTimePassword:
      type: OneTimePassword
      salt: openxpki
      role: User