AuCore by NetIQ

Terms

Endpoint

The appliance provide user’s authentication in different places, ex. Microsoft Windows, Apple MacOS X or other custom applications and systems. The final destination of user’s authentication is endpoint. The endpoint could be a physical workstation or an application.

Endpoint session

Endpoint should create endpoint session on the server to start working. The endpoint session has a lifetime, after this, the endpoint session will be deleted and the session will need to be renewed. All users can work with one endpoint session on one endpoint.

Event

The endpoints are combined in the events, the event is a logical separation for the endpoints. The Windows logon and Mac OS logon are different events, each event could had some set of the endpoints, and endpoints are Mac or Windows workstations.

Authentication Method

These are the specific authentication methods that are supported by the framework. Examples are SMS, OTP, or Smartphone authentication methods. In order to use a method, it needs to be connected to a chain. A method without a chain cannot be used to authenticate.

Name	Key	Description
LDAP password	LDAP_PASSWORD:1	Authentication by LDAP password, system uses different LDAP users repository
One-time password based on hash algorithm	HOTP:1	Authentication by OTP with hash algorithm
One-time password based on time algorithm	TOTP:1	Authentication by OTP with time based algorithm
One-time password sending by e-mail	EMAIL_OTP:1	Authentication by OTP sending by e-mail
One time password sending by SMS	SMS_OTP:1	Authentication by OTP sending by SMS
RADIUS password	RADIUS:1	Authentication by RADIUS server
Security question	SECQUEST:1	Authentication by security question
Smartphone authentication	SMARTPHONE:1	Authentication by smartphone application
Virtual password	PASSWORD:1	Authentication by password assign to user
Voice call	VOICE:1	Authentication by voice call
Cards	CARD:1	Authentication by cards
FIDO U2F	U2F:1	Authentication by FIDO U2F tokens
Emergency password	EMERG_PASSWORD:1	Authentication by emergency password
PKI	PKI:1	Authentication by PKI

Chain

The authentication framework works with chains. These consist of one or more authentication methods and are used to connect to events. For example, LDAP password and an OTP. With this chain, you must first enter your password. Then you will enter a One-Time-Password retrieved from a token.

User templates

The user’s templates contain authentication information associated with users. Each template is linked to a user and to an authentication method. When users try to logon using a specific authentication method, the server finds the associated user template and provide authentication. Users cannot use authentication methods without associated user templates.

Enroll

The enrollment process collects information for creating of user templates. User templates can be created by several steps with the enroll process. The enroll process is wizard to user templates. Each user can create user templates into enroll process, administrator can assign enroll process results to another users. To start enroll user should logon first.

Logon

The server provides strong user authentication by using the chain-login concept. Each chain is a challenge-response login. To get a successful authentication, the entire chain should be completed. A chain can consist of one or several authentication method(s).

Login session

After a user logon, the system creates a login session, to access protected information from the server use this session. For example, reading event data requires a login session identifier.

Howto

To begin work with Aucore Rest Api you should have:

Created endpoint (endpoint id and secret). If you don’t have it, you should create it here

To login to Aucore:

Create endpoint session. Create endpoint session
Get all chains available for user and concrete event and select chain to useGet user chains
Start logon process with selected method and event. Start logon process
Complete all method in chain:
- Call doLogon for specific method
- If doLogon returns OK: you have successfully logged into Aucore
- If doLogon returns MORE_DATA: Aucore is waiting for additional data. Use specific method description
- If doLogon returns FAILED. Your attempt is not successful. Start new logon process to try again
- If doLogon returns NEXT. Your attempt is successful. But you should call NEXT method to start with next method. After NEXT call, use doLogon again.
Use login_session_id for further work

To enroll:

Login to Aucore and take login_session_id
Start enroll process Start enroll process
Make series of doEnroll action until status doens’t equal to ‘OK’ Make one step of enroll sequence
Link you enroll process with user. Create template, fill it from enroll session and link to user

Secrets

login_session_id
endpoint_session_id
endpoint secret stored on endpoint device, passed as endpoint_secret_hash

If you know xxx_session_id you can remove session (logout user) or read /data - acts on behalf of user/endpoint.

Error reporting

Normally server respond with HTTP status 200 and JSON body (as described in corresponding service). In case of error, HTTP status may be 40x, 50x. Response body will be JSON structured as follows.

All you need is ‘description’ of first error. Ignore other fields.

{
    "status": "error",
    "errors":
     [
         {
             "location":"client",
             "name":"Forbidden",
             "msgid": "AUCORE-1066",
             "description":"Login session not found"
         }
     ]
}

Special HTTP errors

HTTP 433 - endpoint session not found or expired. It is possible to get this error in the middle of logon process. You may start new endpoint session, resend do_logon request and continue.

HTTP 434 - logon session not found or expired. Re-logon.

HTTP 400 - wrong data (missed fields etc.) or method protocol violation e.g. voice method already did phone call and wait for PIN code, but you ask it to call user again. Fix your data and retry.

HTTP 500 - serious error, usually not possible to retry. Start your operation from the beginning (open new logon process, etc.)

Read HTTP error description, it may help debug.

Localization

It’s possible to choose a locale for server messages and warnings. Server detects a locale for request by the next properties ordered by priority:

HTTP parameter LOCALE for GET or DELETE requests.
JSON attribute LOCALE for POST, PUT and PATCH methods::
LOCALE cookie
Accept-Language HTTP header

Request (application/json)

{
      "login_session_id": "789",
      "method_id": "HOTP:1",
      "_LOCALE_": "ru-RU"
  }

Supported locale formats

Language with territory:

en_US, nl_NL
Language with territory:

ru-RU, fr-FR
Language only:

ru, nl, fr

Message ID

Server issues an additional Message ID which can be used for message customization:

{
    "chains": [],
    "completed_methods": [],
    "current_method": "PASSWORD:1",
    "logon_process_id": "Ww323YxvYv6IVj3J3EaLNlkVM2aoHfLa",
    "msgid": "AUCORE-1008",
    "msg": "Process started",
    "status": "MORE_DATA"
}

NOTE: Do not use msgid for result status checking, use status with reason instead.

Endpoints ¶

Endpoint session management

Register new endpoint ¶

Register new endpoint
POST`/api/v1/endpoints/{32}}`

Grab secret and remember it inside endpoint (secure registry storage, root-only accessible file etc.) You will use the secret in ‘endpoint_sessions’ service. TODO: add link to endpoint sessions resource

Example URI

POST /api/v1/endpoints/{32}}

Request Not trusted endpoint

HideShow

Body

{
  "name": "nam.new.endpoint",
  "typ": 3,
  "desc": "New NAM endpoint",
  "tenant_name": "BMW_GROUP"
}

Response 200

HideShow

Body

{
  "secret": "cctdgkMc4pyKw0jAduP5CetGtaGKniPL",
  "id": "76d1d94607da11e69bae080027983191"
}

Request Trusted endpoint

HideShow

Body

{
    "name":"nam.new.trusted.endpoint",
    "typ":3,
    "desc":"New trusted NAM endpoint2",
    "is_trusted":true,
    "tenant_name": "BMW_GROUP",
    "auth_data": {

                "method_id": "PASSWORD:1",
                "user_name": "LOCAL\admin",
                "password": "password"
             }
}

Response 200

HideShow

Body

{
  "secret": "cJd8UjfftveHW4JXrphTupMDACoF06xZ",
  "id": "72fe734607db11e69bae080027983191"
}

Read endpoint information ¶

Read endpoint information
GET`/api/v1/endpoints/{32}}`

Example URI

GET /api/v1/endpoints/{32}}

URI Parameters

HideShow

endpoint_id: 32 symbol id (required) Example: f1be127607dc11e69bae080027983191
ID of the endpoint

Response 200

HideShow

Body

{
  "name": "nam.new.trusted.endpoint3",
  "typ": 3,
  "desc": "New trusted NAM endpoint",
  "is_enabled": true,
  "id": "d5f5881e07df11e69bae080027983191",
  "is_trusted": true
}

Response 404

HideShow

Body

{
  "errors": [
    {
      "location": "server",
      "name": "AuError",
      "msgid": "AUCORE-1022",
      "description": "Endpoint not found"
    }
  ],
  "status": "error"
}

Destroy endpoint ¶

Destroy endpoint
DELETE`/api/v1/endpoints/{32}}`

Untrusted endpoint can be destroyed by user who knows endpoint secret(auth_data check skipped). Otherwise user must be provide auth_data. This method requires JSON body, not all web clients/proxy servers support body for HTTP DELETE method

Example URI

DELETE /api/v1/endpoints/{32}}

URI Parameters

HideShow

endpoint_id: 32 symbol id (required) Example: f1be127607dc11e69bae080027983191
ID of the endpoint

Request

HideShow

Body

{
    "auth_data": {

                    "method_id": "PASSWORD:1",
                    "user_name": "LOCAL\admin",
                    "password": "admin"
                 },
    "secret": "M2QjVLgxVKOYrpVtYKafsGtKrBRx1aTU"
}

Response 200

HideShow

Body

null

Update endpoint information ¶

Update endpoint information
PATCH`/api/v1/endpoints/{32}}`

Field auth_data is required to update endpoint

If you omit a field, it will not be changed.

Example URI

PATCH /api/v1/endpoints/{32}}

URI Parameters

HideShow

endpoint_id: 32 symbol id (required) Example: f1be127607dc11e69bae080027983191
ID of the endpoint

Request Change endpoint description

HideShow

Body

{
    "desc":"New cool description",
    "auth_data": {

                    "method_id": "PASSWORD:1",
                    "user_name": "LOCAL\admin",
                    "password": "admin"
                 }
}

Response 200

HideShow

Body

null

Endpoint sessions ¶

Endpoint session management. Does not require login/endpoint session. Instead, it requires endpoint secret.

Session lifetime (TTL): expire on inactivity 60 min, max lifetime 10080 min. It may change without notice. Please handle 434/433 HTTP codes to re-open session on-the fly and re-send request.

Create the session from endpoint and returns it's ID ¶

Create the session from endpoint and returns it's ID
POST`/api/v1/endpoints/{32}}/sessions/{32}}`

Client machine knows in advance endpoint_secret and id. It sends it to server, in hashed+salted form. Server validates and returns endpoint_session_id or HTTP error.

endpoint_secret_hash calculation in python::

def get_endpoint_secret_hash(endpoint, salt):
        # Calculates endpoint secret hash as SHA256(endpoint.secret, SHA256(endpoint.id_hex + salt))
        # salt is random string of length >= 1

        salted_endpoint_id = (endpoint.id_hex + salt).encode('utf-8')
        endpoint_id_hash = sha256(salted_endpoint_id).hexdigest()
        salted_enpoint_secret = (endpoint.secret + endpoint_id_hash).encode('utf-8')

        return sha256(salted_enpoint_secret).hexdigest()

Example URI

POST /api/v1/endpoints/{32}}/sessions/{32}}

URI Parameters

HideShow

endpoint_id: 32 symbol id (required) Example: f1be127607dc11e69bae080027983191
ID of the endpoint

Request Successful create session

HideShow

Body

{
  "salt": "i_am_salt",
  "endpoint_secret_hash": "d8065693d119fd3d3b0ea54b31d0bf66cc6b56879de302c94cf0e464fef67124",
  "session_data": {
    "any": {
      "data": [
        "you",
        "want to store",
        "in session"
      ]
    }
  }
}

Response 200

HideShow

Body

{
  "endpoint_session_id": "0TbKHn9MsZKJYhfQ0FZ0W2y0RHVwxTOY"
}

Request Create session with incorrect credentials

HideShow

Body

{
    "salt": "i_am_salt",
    "endpoint_secret_hash": "d8065693d119fd3d3b0ea54b31d0bf66cc6b56879de302c94cf0e464fef67127",
    //incorrect secret hash
    "session_data": {"any": { "data": ["you", "want to store", "in session"] } }
}

Response 403

HideShow

Body

{
  "errors": [
    {
      "location": "server",
      "name": "AuError",
      "msgid": "AUCORE-1065",
      "description": "Wrong credentials (endpoint secret)"
    }
  ],
  "status": "error"
}

Read information about endpoint session: ¶

Read information about endpoint session:
GET`/api/v1/endpoints/{endpoint_id}/sessions/{endpoint_session_id}?salt={salt}&endpoint_secret_hash={endpoint_secret_hash}`

Example URI

GET /api/v1/endpoints/f1be127607dc11e69bae080027983191/sessions/f1be127607dc11e69bae080027983191?salt=i_am_salt&endpoint_secret_hash=7a68b11d3e409c09ba1545f5500273defb3c27127250029f00ac65097978fcf6

URI Parameters

HideShow

endpoint_id: 32 symbol id (required) Example: f1be127607dc11e69bae080027983191
ID of the endpoint
endpoint_session_id: 32 symbol id (required) Example: f1be127607dc11e69bae080027983191
ID of the endpoint
salt: string (required) Example: i_am_salt
Client generated salt. This salt is used in secret hash generated algorithm.
endpoint_secret_hash: string (required) Example: 7a68b11d3e409c09ba1545f5500273defb3c27127250029f00ac65097978fcf6
Endpoint secret hash

Response 200

HideShow

Body

{
  "endpoint_id": "377ac5fe07e011e69bae080027983191",
  "session_data": {
    "any": {
      "data": [
        "you",
        "want to store",
        "in session"
      ]
    }
  },
  "sid": "daTpDaWAd5BP0QzBNcIulLuFYCJ32Aak"
}

Destroys the endpoint session: ¶

Destroys the endpoint session:
DELETE`/api/v1/endpoints/{endpoint_id}/sessions/{endpoint_session_id}?salt={salt}&endpoint_secret_hash={endpoint_secret_hash}`

Example URI

DELETE /api/v1/endpoints/f1be127607dc11e69bae080027983191/sessions/f1be127607dc11e69bae080027983191?salt=i_am_salt&endpoint_secret_hash=7a68b11d3e409c09ba1545f5500273defb3c27127250029f00ac65097978fcf6

URI Parameters

HideShow

endpoint_id: 32 symbol id (required) Example: f1be127607dc11e69bae080027983191
ID of the endpoint
endpoint_session_id: 32 symbol id (required) Example: f1be127607dc11e69bae080027983191
ID of the endpoint
salt: string (required) Example: i_am_salt
Client generated salt. This salt is used in secret hash generated algorithm.
endpoint_secret_hash: string (required) Example: 7a68b11d3e409c09ba1545f5500273defb3c27127250029f00ac65097978fcf6
Endpoint secret hash

Response 200

HideShow

Body

null

Logon ¶

Implements logon process. Requires endpoint_session_id. Add it to all requests.

Start login process, grab login_process_id
Series of do_logon calls. Client software sends ‘response’ to server; server replies with ‘challenge’
Received status=‘OK’ or ‘FAILED’ is the end of the process.

OK - logon is complete, login session has been created. FAILED - logon failed, logon process is destroyed
HTTP error 400 or 500 does not destroy the process, it is possible to continue it.
Special HTTP error 434 is returned in case when login session not found or expired

Simple logon

First, you create login process::

POST /api/v1/logon
{
    'method_id': 'PASSWORD:1',
    'user_name': 'REPONAME\USERNAME',
    'is_1N': True/False,  # optional, default False
    'unit_id': 'xxx',     # for 1N login
    'event': 'xxx'  # can be empty string for testing (allow any method)
}

For 1N login, you set is_1N to True and pass unit_id. For normal login, you pass user_name. Return::

{ 'chains': [],
  'completed_methods': [],
  'current_method': 'PASSWORD:1',
  'logon_process_id': 'Ww323YxvYv6IVj3J3EaLNlkVM2aoHfLa',
  'msg': 'Process started',
  'status': 'MORE_DATA'
}

Grab logon_process_id and perform series of do_logon calls while getting status ‘MORE_DATA’::

POST /api/v1/logon/Ww323YxvYv6IVj3J3EaLNlkVM2aoHfLa/do_logon
{
    'response': 'method-specific dictionary, maybe omitted if method does not requires data on 1st do_login'
}
Return
{
    # method-specific data such as
    'challenge': {'rounds': 100, 'salt': 'cdf123Dx'},
    'status': 'MORE_DATA'
}


POST /api/v1/logon/Ww323YxvYv6IVj3J3EaLNlkVM2aoHfLa/do_logon
{
    'response': {'answer' : 'my-password' # method-specific dict in 'response' field
                                          # this is 'response' to 'challenge' which server sent in previous do_logon
}

At some iteration, you get either status=OK or FAILED. ‘OK’ gives you also information about logged user::

{ 'chains': [],
  'completed_methods': ['PASSWORD:1'],
  'login_session_id': 'YTxTmMW6RPv051RmeCiyBn7txzE0JoM2',
  'msg': 'Welcome!',
  'repo_id': '703f7c641beb11e48c69000c294fde0e',
  'user_id': '7044631e1beb11e48c69000c294fde0e',
  'user_name': 'LOCAL\user1',
  'event_name': 'Windows logon',
  'event_data_id': 'OSLogon'
  'status': 'OK'
}

# example of FAILED method

{ 'msg': 'Wrong password',
  'status': 'FAILED'}

Grab login_session_id, you will pass it to other services. 1-N logon does not know user name before login starts, and now it knows.

Chained logon

Depending of event and endpoint_session_id (trusted/untrusted endpoint) you receive list of chains.

Chain defines:

list of methods user must login to, one-by-one.
After login, you can access data of the event by using ‘user_data’ service.

‘NEXT’ status says that current method is complete (OK) and user must start next method. What method to start is up to user (or client UI) - it depends on what chain user wants to complete.

Chained logon example::

# optional - read chains
# GET  /api/v1/logon/chains?event=windows_logon&is_trusted=true

# decide what chain to complete and...

# 1. start 1st method

POST /api/v1/logon
{ 'method_id': 'SUPER_OTP:1', 'user_name': 'BMW\director', 'event': 'windows_logon' }
Return
{ 'chains':
        [
            # same list of chains as you GET from /api/v1/logon/chains?event=windows_logon
        ],
  'completed_methods': [],
  'current_method': 'SUPER_OTP:1',
  'logon_process_id': 'abc345',
  'msg': 'Process started',
  'status': 'MORE_DATA'
}
# Grab login_process_id (abc345) and...

# 2. call do_logon

POST /api/v1/logon/abc345/do_logon
{ 'response': 'some_secret' }
returns
{ 'status': 'MORE_DATA', 'current_method': 'SUPER_OTP:1', 'completed_methods': [] }

# 3. continue 1st method (it is 2-phase method)

POST /api/v1/logon/abc345/do_logon
{ response: 'second_secret' }
returns
{ status: 'NEXT', 'completed_methods': ['SUPER_OTP:1'] }

Status=NEXT means ‘SUPER_OTP’ is OK, completed_methods has method name. You start next method by POSTing to same process::

# 4. start next method

POST /api/v1/logon/abc345/next
{ 'method_id': 'LDAP_PASSWORD:1' } # user_name will be same as before
                                   # you may pass unit_id and is_1N=true,
                                   # it will work - but unit_id must be owned by same user
returns
{ status: 'MORE_DATA', 'current_method': 'LDAP_PASSWORD:1', 'completed_methods': ['SUPER_OTP:1']}

# 5. call do_logon, as usual

POST /api/v1/logon/abc345/do_logon
{ 'response': 'Password1' }
returns
{
    'status': 'OK',
    'completed_methods': ['SUPER_OTP:1', 'LDAP_PASSWORD:1'],
    'login_session_id': 'YTxTmMW6RPv051RmeCiyBn7txzE0JoM2',
    'msg': 'Welcome!',
    'repo_id': '703f7c641beb11e48c69000c294fde0e',
    'user_id': '7044631e1beb11e48c69000c294fde0e',
    'user_name': 'BMW\director',
    'event_name': 'Windows logon',
    'event_data_id': 'OSLogon'
}

# The chain is complete! Grab login_session_id!

OK, grab login_session_id and user info.

Chained logon - wrong password in the middle

Consider a chain has 3 methods, user completed 2 of them but provided wrong credentials for 3rd method. In that case:

Result is NEXT (not FAILED because it means end of the process)
completed_methods still contains 2 methods
Re-start method by POSTing as usual to /api/v1/logon/abc345/next

Create logon process: ¶

Create logon process:
POST`/api/v1/logon`

First, you create login process For 1N login, you set is_1N to True and pass unit_id. For normal login, you pass user_name. Then use doLogon method to proceed.

Example URI

POST /api/v1/logon

Request Simple logon

HideShow

Body

{
    "method_id": "PASSWORD:1",
    "user_name": "LOCAL\USER1",
    "event": "NAM",
    "endpoint_session_id": "P7p3JJuenqo0SnyJ4HnbRbbJIqDhtt0u"
}

Response 200

HideShow

Body

{
  "completed_methods": [],
  "chains": [
    {
      "name": "Authenticators Management - Password",
      "position": 1,
      "id_hex": "3c927b4a061e11e6b224080027983191",
      "apply_for_ep_owner": false,
      "required_chain_id_hex": null,
      "methods": [
        "PASSWORD:1"
      ],
      "short_name": "",
      "image_name": "PASSWORD_1.png",
      "is_trusted": null,
      "is_enabled": true,
      "grace_period": null
    }
  ],
  "plugins": [],
  "event_name": "NAM",
  "logon_process_id": "TTPeglOJxUZ3R8IV3e5vwUgUQACs8fBS",
  "event_data_id": "OSLogon",
  "status": "MORE_DATA",
  "msgid": "AUCORE-1008",
  "current_method": "PASSWORD:1",
  "msg": "Process started",
  "reason": "PROCESS_STARTED"
}

Request 1:N authentication

HideShow

Body

{
        "method_id": "PASSWORD:1",
        "event": "NAM",
        "is_1N":true,
        "unit_id":"test",
        "endpoint_session_id": "P7p3JJuenqo0SnyJ4HnbRbbJIqDhtt0u",
    }

Response 200

HideShow

Body

{ 'chains': [],
  'completed_methods': [],
  'current_method': 'PASSWORD:1',
  'logon_process_id': 'Ww323YxvYv6IVj3J3EaLNlkVM2aoHfLa',
  'msg': 'Process started',
  'status': 'MORE_DATA'
}

Common Do logon: ¶

Common Do logon:
POST`/api/v1/logon/{logon_process_id}/do_logon`

Grab logon_process_id and perform series of do_logon calls while getting status ‘MORE_DATA’

doLogon response can contain status with OK, FAILED, MORE_DATA, NEXT

OK - you are successfully logged to event

FAILED - unsuccessful response for logon

NEXT - current method is done, service is waiting for next method. To start next method use next method bellow. Then call do_logon, as usual.

MORE_DATA - service is waiting for data

At some iteration, you get either status=OK or FAILED.

‘OK’ gives you also information about logged user. Grab login_session_id, you will pass it to other services.

Details about data and steps for specific methods read here

Example URI

POST /api/v1/logon/TTPeglOJxUZ3R8IV3e5vwUgUQACs8fBS/do_logon

URI Parameters

HideShow

logon_process_id: 32 symbol id (required) Example: TTPeglOJxUZ3R8IV3e5vwUgUQACs8fBS
ID of the logon process

Request Simple virtual password doLogon

HideShow

Body

{
  "endpoint_session_id": "P7p3JJuenqo0SnyJ4HnbRbbJIqDhtt0u",
  "response": {
    "answer": "my-password"
  }
}

Response 200

HideShow

Body

{
  "user_id": "4f34e2882991440ddd0fd515e0d0236c",
  "completed_methods": [
    "PASSWORD:1"
  ],
  "repo_id": "3c9c1fd8061e11e6b224080027983191",
  "status": "OK",
  "repo_obj_id": "3caa08a0061e11e6b224080027983191",
  "event_data_id": "",
  "logon_process_id": "jImh3267QFyZ9pXjSGPj5EIhpKKU8Xu9",
  "user_name": "LOCAL\ADMIN",
  "login_session_id": "TmPxkC98vF4FGhDvqedjXItbmGjVJYTD",
  "plugins": [],
  "event_name": "",
  "chains": [
    {
      "name": "TEST CHAIN",
      "position": 1000,
      "id_hex": null,
      "apply_for_ep_owner": false,
      "required_chain_id_hex": null,
      "methods": [
        "ANY"
      ],
      "short_name": "",
      "image_name": "ANY.png",
      "is_trusted": null,
      "is_enabled": true,
      "grace_period": null
    }
  ],
  "current_method": "PASSWORD:1",
  "msgid": "AUCORE-2001",
  "msg": "Welcome!",
  "data_id": ""
}

Request Simple incorrect virtual password doLogon

HideShow

Body

{
  "endpoint_session_id": "P7p3JJuenqo0SnyJ4HnbRbbJIqDhtt0u",
  "response": {
    "answer": "my-incorrect-password"
  }
}

Response 200

HideShow

Body

{
  "completed_methods": [],
  "chains": [
    {
      "name": "TEST CHAIN",
      "position": 1000,
      "id_hex": null,
      "apply_for_ep_owner": false,
      "required_chain_id_hex": null,
      "methods": [
        "ANY"
      ],
      "short_name": "",
      "image_name": "ANY.png",
      "is_trusted": null,
      "is_enabled": true,
      "grace_period": null
    }
  ],
  "plugins": [],
  "event_name": "",
  "logon_process_id": "TaEXATdeJmyzhYlEKDwBKCUqzMW0YdtT",
  "event_data_id": "",
  "status": "FAILED",
  "msgid": "AUCORE-2007",
  "current_method": "PASSWORD:1",
  "msg": "Wrong password",
  "reason": "PASSWORD_WRONG"
}

Continue logon for multiple step logon ¶

Continue logon for multiple step logon
POST`/api/v1/logon/{logon_process_id}/next`

For example: after successful PASSWORD:1 logon

Example URI

POST /api/v1/logon/TTPeglOJxUZ3R8IV3e5vwUgUQACs8fBS/next

URI Parameters

HideShow

logon_process_id: 32 symbol id (required) Example: TTPeglOJxUZ3R8IV3e5vwUgUQACs8fBS
ID of the logon process

Request

HideShow

Body

{
  "endpoint_session_id": "P7p3JJuenqo0SnyJ4HnbRbbJIqDhtt0u",
  "method_id": "HOTP:1"
}

Response 200

HideShow

Body

{
  "event_name": "",
  "completed_methods": [
    "PASSWORD:1"
  ],
  "msg": "Process started",
  "chains": [
    {
      "required_chain_id_hex": null,
      "short_name": "",
      "position": 0,
      "apply_for_ep_owner": false,
      "id_hex": "e5c25e240a2411e68f20080027983191",
      "methods": [
        "PASSWORD:1",
        "HOTP:1"
      ],
      "is_enabled": true,
      "is_trusted": null,
      "grace_period": null,
      "name": "test",
      "image_name": "default"
    }
  ],
  "current_method": "HOTP:1",
  "plugins": [],
  "msgid": "AUCORE-1008",
  "reason": "PROCESS_STARTED",
  "status": "MORE_DATA",
  "event_data_id": "",
  "logon_process_id": "TTPeglOJxUZ3R8IV3e5vwUgUQACs8fBS"
}

Read available chains: ¶

Read available chains:
GET`/api/v1/logon/chains?user_name={user_name}&is_trusted={is_trusted}&event={event}&endpoint_session_id={endpoint_session_id}`

is_trusted can be 1, 0, “True”, “False” or missed(False)

If you omit ‘is_trusted’ in your query, service does not filter and returns both trusted and untrusted chains.

If you omit ‘user_name’, service does not filter and returns all chains configured given event/is_trusted.

If you provide ‘user_name’ of user that isn’t yet registered in aucore (such as new LDAP user), service returns only chains made of methods not requiring enroll.

“user_is_locked” returned if you specify user_name, use it to immediately show error and not ask user creds / chain selection

Example URI

GET /api/v1/logon/chains?user_name=LOCAL\USER1&is_trusted=1&event=NAM&endpoint_session_id=f1be127607dc11e69bae080027983191

URI Parameters

HideShow

is_trusted: boolean (required) Example: 1
Show only trusted chains or not (1, 0, “True”, “False”)
user_name: string (required) Example: LOCAL\USER1
username
event: string (required) Example: NAM
event’s name
endpoint_session_id: 32 symbol id (required) Example: f1be127607dc11e69bae080027983191
ID of the endpoint

Response 200

HideShow

Body

{
  "chains": [
    {
      "name": "Admin Password",
      "position": 0,
      "id_hex": "3c8c306e061e11e6b224080027983191",
      "apply_for_ep_owner": false,
      "required_chain_id_hex": null,
      "methods": [
        "PASSWORD:1"
      ],
      "short_name": "",
      "image_name": "PASSWORD_1.png",
      "is_trusted": null,
      "is_enabled": true,
      "grace_period": null
    },
    {
      "name": "Authenticators Management - Password",
      "position": 2,
      "id_hex": "3c927b4a061e11e6b224080027983191",
      "apply_for_ep_owner": false,
      "required_chain_id_hex": null,
      "methods": [
        "PASSWORD:1"
      ],
      "short_name": "",
      "image_name": "PASSWORD_1.png",
      "is_trusted": null,
      "is_enabled": true,
      "grace_period": null
    }
  ],
  "user_is_locked": false
}

Destroy logon process: ¶

Destroy logon process:
DELETE`/api/v1/logon/{logon_process_id}?endpoint_session_id={endpoint_session_id}`

Example URI

DELETE /api/v1/logon/JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVX?endpoint_session_id=f1be127607dc11e69bae080027983191

URI Parameters

HideShow

logon_process_id: string (required) Example: JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVX
ID of the logon process
endpoint_session_id: 32 symbol id (required) Example: f1be127607dc11e69bae080027983191
ID of the endpoint

Login sessions ¶

Manage login sessions. Requires endpoint_session_id

Session lifetime (TTL): expire on inactivity 20 min, max lifetime 1440 min. It may change without notice. Please handle 434/433 HTTP codes to re-open session on-the fly and re-send request.

Read information about login session: ¶

Read information about login session:
GET`/api/v1/logon/sessions/{login_session_id}?endpoint_session_id={endpoint_session_id}`

Example URI

GET /api/v1/logon/sessions/JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVX?endpoint_session_id=f1be127607dc11e69bae080027983191

URI Parameters

HideShow

login_session_id: string (required) Example: JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVX
ID of the login session
endpoint_session_id: 32 symbol id (required) Example: f1be127607dc11e69bae080027983191
ID of the endpoint session

Response 200

HideShow

Body

{
    "user_id": "4f34e2882991440ddd0fd515e0d0236c",
    "user_name": "LOCAL\ADMIN",
    "sid": "GKWrJUBaeBA20KHzHAcmzihNrOgdXooh",
    "repo_id": "3c9c1fd8061e11e6b224080027983191",
    "repo_obj_id": "3caa08a0061e11e6b224080027983191",
    "event_name": "",
    "data_id": ""
}

Delete login session: ¶

Delete login session:
DELETE`/api/v1/logon/sessions/{login_session_id}?endpoint_session_id={endpoint_session_id}`

Example URI

DELETE /api/v1/logon/sessions/JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVX?endpoint_session_id=f1be127607dc11e69bae080027983191

URI Parameters

HideShow

login_session_id: string (required) Example: JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVX
ID of the login session
endpoint_session_id: 32 symbol id (required) Example: f1be127607dc11e69bae080027983191
ID of the endpoint session

Enroll ¶

The service for creation authentication template (enroll). Requires login_session_id. Any user may start enroll process.

When process is finished, you create template from process result by using ‘user_template’ service. Until that, process result lives at the server for some time. Admin may assign process result to any user. User may assign process result to himself. It is possible that user1 created the process, tell enroll_process_id to user2 and he assigns it to himself.

Enroll procedure:

Start enroll process, grab enroll_process_id
Series of do_enroll calls. Client software sends ‘response’ to server until it replies ‘OK’ or ‘FAILED’
POST/PUT enroll_process_id and user_id to ‘user_templates’ service.

Start enroll process: ¶

Start enroll process:
POST`/api/v1/enroll`

Returns enroll_process_id. Use it in do_enroll method.

Example URI

POST /api/v1/enroll

Request

HideShow

Body

{
    "method_id": "HOTP:1",
    //login method to create authentication template for
    "login_session_id":"B3XBHzwAHuPfHwMHfSjf3eVdV3glCa0o"
}

Response 200

HideShow

Body

{
  "enroll_process_id": "JfgSCsAr89tR3tu92mKV3MWy4LWSmroU"
}

Common Do enroll: ¶

Common Do enroll:
POST`/api/v1/enroll/{enroll_process_id}/do_enroll`

Grab enroll_process_id and perform series of do_enroll calls while getting status ‘MORE_DATA’

When you get ‘status’=‘OK’, enroll process is finished. Now you want to create template from process result and link it to a user. POST/PUT enroll_process_id and user_id to ‘user_templates’ service. It will create authentication template and destroy waiting enroll process. User will become template owner.

Details about data and steps for specific methods read here

Example URI

POST /api/v1/enroll/JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVX/do_enroll

URI Parameters

HideShow

enroll_process_id: string (required) Example: JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVX
ID of the enroll process

Request Correct request

HideShow

Body

{
  "login_session_id": "rBT79CAz8AWh1o920OrHumx32iaToCU9",
  "response": {
    "secret": "0000000000000100",
    "counter": 10
  }
}

Response 200

HideShow

Body

{
  "reason": "",
  "method_id": "HOTP:1",
  "status": "OK",
  "msg": ""
}

Request Incorrect request

HideShow

Body

{
    "login_session_id":"rBT79CAz8AWh1o920OrHumx32iaToCU9",
    "response":{
            "password":"0000000000000100",
            }
}

Response 200

HideShow

Body

{
  "status": "FAILED",
  "msgid": "AUCORE-3028",
  "reason": "",
  "msg": "Secret and counter required"
}

Destroy pending/waiting process: ¶

Destroy pending/waiting process:
DELETE`/api/v1/enroll/{enroll_process_id}?login_session_id={login_session_id}`

Example URI

DELETE /api/v1/enroll/JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVX?login_session_id=LRvql8GD946V7ryN8fesWBLhN1I7dpEe

URI Parameters

HideShow

enroll_process_id: string (required) Example: JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVX
ID of the enroll process
login_session_id: string (required) Example: LRvql8GD946V7ryN8fesWBLhN1I7dpEe
ID of the login session

Policies ¶

Read object policies. Requires logged_session_id.

No writes. Setting policies is the task of admin UI.

Policies are defined for component. “Component policies” is dictionary of values. Value is any json-serializable object, maybe nested dict::

{ "component_id": { "policy1": value, "policy2": value } }

Service returns effective policies. Effective is default component policies overridden by object-specific policies.

Read effective policies of user : ¶

Read effective policies of user :
GET`/api/v1/users/{user_id}/effective_policy?login_session_id={login_session_id}`

Example URI

GET /api/v1/users/4f34e2882991440ddd0fd515e0d0236c/effective_policy?login_session_id=JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVX

URI Parameters

HideShow

user_id: string (required) Example: 4f34e2882991440ddd0fd515e0d0236c
ID of the user
login_session_id: string (required) Example: JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVX
ID of the login session

Response 200

HideShow

Body

{
  "policy": {
    "LoginOptions": {
      "component_id": "LoginOptions",
      "data": {
        "default_repos": [
          "LOCAL"
        ],
        "nondefault_repos": []
      }
    },
    "HelpdeskOptions": {
      "component_id": "HelpdeskOptions",
      "data": {
        "require_user_credentials": false
      }
    }
  }
}

Read info about specific component of effective user policy ¶

Read info about specific component of effective user policy
GET`/api/v1/users/{user_id}/effective_policy/{component}?login_session_id={login_session_id}`

Example URI

GET /api/v1/users/4f34e2882991440ddd0fd515e0d0236c/effective_policy/TOTPMethod?login_session_id=JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVX

URI Parameters

HideShow

user_id: string (required) Example: 4f34e2882991440ddd0fd515e0d0236c
ID of the user
login_session_id: string (required) Example: JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVX
ID of the login session
component: string (required) Example: TOTPMethod
Component name

Response 200

HideShow

Body

{
  "policy": {
    "component_id": "TOTPMethod",
    "data": {
      "otp_window": 4,
      "otp_format": "dec6",
      "otp_period": 30,
      "use_key_uri_format_qr": false
    }
  }
}

Read effective policies of endpoint : ¶

Read effective policies of endpoint :
GET`/api/v1/endpoints/{endpoint_id}/effective_policy?endpoint_session_id={endpoint_session_id}`

Note: return default policies(not effective)

Example URI

GET /api/v1/endpoints/4f34e2882991440ddd0fd515e0d0236c/effective_policy?endpoint_session_id=JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVX

URI Parameters

HideShow

endpoint_id: string (required) Example: 4f34e2882991440ddd0fd515e0d0236c
ID of the endpoint
endpoint_session_id: string (required) Example: JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVX
ID of the endpoint session

Response 200

HideShow

Body

{
  "policy": {
    "LoginOptions": {
      "component_id": "LoginOptions",
      "data": {
        "default_repos": [
          "LOCAL"
        ],
        "nondefault_repos": []
      }
    },
    "HelpdeskOptions": {
      "component_id": "HelpdeskOptions",
      "data": {
        "require_user_credentials": false
      }
    }
  }
}

Read info about specific component of endpoint effective policy ¶

Read info about specific component of endpoint effective policy
GET`/api/v1/endpoints/{endpoint_id}/effective_policy/{component}?endpoint_session_id={endpoint_session_id}`

Note: return default policies(not effective)

Example URI

GET /api/v1/endpoints/4f34e2882991440ddd0fd515e0d0236c/effective_policy/TOTPMethod?endpoint_session_id=JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVX

URI Parameters

HideShow

endpoint_id: string (required) Example: 4f34e2882991440ddd0fd515e0d0236c
ID of the endpoint
endpoint_session_id: string (required) Example: JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVX
ID of the endpoint session
component: string (required) Example: TOTPMethod
Component name

Response 200

HideShow

Body

{
  "policy": {
    "component_id": "TOTPMethod",
    "data": {
      "otp_window": 4,
      "otp_format": "dec6",
      "otp_period": 30,
      "use_key_uri_format_qr": false
    }
  }
}

User data ¶

Access to data of the user.

Requires logged_session_id of user or admin.

Data is defined for events. You may access data only of the event you are logged in. The event defines accessible data_id. Several events may share data_id. By default data_id = Event.name.upper().

Data permissions

Restricted records - admin and user can read, but only admin can write (restricted write)
Sensitive records - admin and user can write, but only user can read (restricted read)

Read all records of OSLogon data: ¶

Read all records of OSLogon data:
GET`/api/v1/users/{user_id}/data/OSLogon?login_session_id={login_session_id}`

Read data. Data consists of records. You may read all records or specific one. Add login_session_id as query-string parameter.

Example URI

GET /api/v1/users/4f34e2882991440ddd0fd515e0d0236c/data/OSLogon?login_session_id=rBT79CAz8AWh1o920OrHumx32iaToCU9

URI Parameters

HideShow

user_id: string (required) Example: 4f34e2882991440ddd0fd515e0d0236c
ID of the user
login_session_id: string (required) Example: rBT79CAz8AWh1o920OrHumx32iaToCU9
ID of the login session id

Response 200

HideShow

Body

{
  "data": {
    "field3": {
      "inner": "dict",
      "is": {
        "possible": "at",
        "any": "level"
      }
    },
    "field1": "new_value"
  }
}

Delete all records of OSLogon data: ¶

Delete all records of OSLogon data:
DELETE`/api/v1/users/{user_id}/data/OSLogon?login_session_id={login_session_id}`

Example URI

DELETE /api/v1/users/4f34e2882991440ddd0fd515e0d0236c/data/OSLogon?login_session_id=rBT79CAz8AWh1o920OrHumx32iaToCU9

URI Parameters

HideShow

user_id: string (required) Example: 4f34e2882991440ddd0fd515e0d0236c
ID of the user
login_session_id: string (required) Example: rBT79CAz8AWh1o920OrHumx32iaToCU9
ID of the login session id

Response 200

HideShow

Body

null

Delete password record only:: ¶

Delete password record only::
DELETE`/api/v1/users/{user_id}/data/OSLogon/password?login_session_id={login_session_id}`

Example URI

DELETE /api/v1/users/4f34e2882991440ddd0fd515e0d0236c/data/OSLogon/password?login_session_id=rBT79CAz8AWh1o920OrHumx32iaToCU9

URI Parameters

HideShow

user_id: string (required) Example: 4f34e2882991440ddd0fd515e0d0236c
ID of the user
login_session_id: string (required) Example: rBT79CAz8AWh1o920OrHumx32iaToCU9
ID of the login session id

Response 200

HideShow

Body

null

Modify data: ¶

Modify data:
PATCH`/api/v1/users/{user_id}/data/OSLogon`

Create/modify record field1 for OSLogon data::

Example URI

PATCH /api/v1/users/4f34e2882991440ddd0fd515e0d0236c/data/OSLogon

URI Parameters

HideShow

user_id: string (required) Example: 4f34e2882991440ddd0fd515e0d0236c
ID of the user

Request Update field

HideShow

Body

{
  "login_session_id": "LRvql8GD946V7ryN8fesWBLhN1I7dpEe",
  "data": {
    "field1": "a value"
  }
}

Response 200

HideShow

Body

null

Request Update many fields

HideShow

Body

{
  "login_session_id": "LRvql8GD946V7ryN8fesWBLhN1I7dpEe",
  "data": {
    "field1": "new_value",
    "field2": null,
    "field3": {
      "inner": "dict",
      "is": {
        "possible": "at",
        "any": "level"
      }
    }
  }
}

Response 200

HideShow

Body

null

Request Modifications/additions are recursive and process sub-records

HideShow

Body

{
  "login_session_id": "LRvql8GD946V7ryN8fesWBLhN1I7dpEe",
  "data": {
    "field3": {
      "sub-record": "is added"
    }
  }
}

Response 200

HideShow

Body

null

User templates ¶

Access to user’s authentication templates. Requires logged_session_id of user or admin.

List of user's linked templates: ¶

List of user's linked templates:
GET`/api/v1/users/{user_id}/templates?login_session_id={login_session_id}`

Example URI

GET /api/v1/users/4f34e2882991440ddd0fd515e0d0236c/templates?login_session_id=JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVX

URI Parameters

HideShow

user_id: string (required) Example: 4f34e2882991440ddd0fd515e0d0236c
ID of the user
login_session_id: string (required) Example: JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVX
ID of the login session

Response 200

HideShow

Body

{
  "templates": [
    {
      "id": "3cb97b50061e11e6b224080027983191",
      "method_id": "PASSWORD:1",
      "method_title": "Password",
      "is_enrolled": true,
      "comment": ""
    },
    {
      "id": "83523194b70919672b1157bc929ed67a",
      "method_id": "CARD:1",
      "method_title": "Card",
      "is_enrolled": true,
      "comment": ""
    },
    {
      "id": "ff3f4e84203e6d7f56a0013074237071",
      "method_id": "SECQUEST:1",
      "method_title": "Security questions",
      "is_enrolled": true,
      "comment": ""
    },
    {
      "id": "5194c010d968811da4ff47f843a3245e",
      "method_id": "HOTP:1",
      "method_title": "HOTP",
      "is_enrolled": true,
      "comment": ""
    }
  ]
}

Create template, fill it from enroll session and link to user: ¶

Create template, fill it from enroll session and link to user:
POST`/api/v1/users/{user_id}/templates`

User becomes owner of created template. Existing enrolled session is destroyed (no way to create 2 templates from same enroll session).

Example URI

POST /api/v1/users/4f34e2882991440ddd0fd515e0d0236c/templates

URI Parameters

HideShow

user_id: string (required) Example: 4f34e2882991440ddd0fd515e0d0236c
ID of the user

Request

HideShow

Body

{
  "login_session_id": "LRvql8GD946V7ryN8fesWBLhN1I7dpEe",
  "enroll_process_id": "rlV6pSKXT4e0Ueq9hEXreL1ubkAdNYz2",
  "comment": "this is my comment"
}

Response 200

HideShow

Body

{
  "auth_t_id": "3978beae0a3f11e68f20080027983191"
}

Create template without data and link to the user: ¶

Create template without data and link to the user:
POST`/api/v1/users/{user_id}/templates`

Template should not be enrolled template and should be filled later by PUT

Example URI

POST /api/v1/users/4f34e2882991440ddd0fd515e0d0236c/templates

URI Parameters

HideShow

user_id: string (required) Example: 4f34e2882991440ddd0fd515e0d0236c
ID of the user

Request

HideShow

Body

{
    "login_session_id": "LRvql8GD946V7ryN8fesWBLhN1I7dpEe",
    "method_id": "EMAIL_OTP:1",
    "comment" : "this is my comment"
    //optional
    "unit_id " : "xxx"
}

Response 200

HideShow

Body

{
  "auth_t_id": "b94292c20a3f11e68f20080027983191"
}

Link existing template to user. ¶

Link existing template to user.
POST`/api/v1/users/{user_id}/templates`

Passed logged_session_id must be of admin After that operation, user may login by ‘xxx’ template owned by some other user, but user can’t change it.

Example URI

POST /api/v1/users/4f34e2882991440ddd0fd515e0d0236c/templates

URI Parameters

HideShow

user_id: string (required) Example: 4f34e2882991440ddd0fd515e0d0236c
ID of the user

Request

HideShow

Body

{
  "auth_t_id": "3cb97b50061e11e6b224080027983191",
  "login_session_id": "LRvql8GD946V7ryN8fesWBLhN1I7dpEe"
}

Response 200

HideShow

Body

{
  "auth_t_id": "3cb97b50061e11e6b224080027983191"
}

Fill auth template from enroll session and/or change comment: ¶

Fill auth template from enroll session and/or change comment:
PUT`/api/v1/users/{user_id}/templates/{auth_t_id}`

Example URI

PUT /api/v1/users/4f34e2882991440ddd0fd515e0d0236c/templates/83523194b70919672b1157bc929ed67a

URI Parameters

HideShow

user_id: string (required) Example: 4f34e2882991440ddd0fd515e0d0236c
ID of the user
auth_t_id: string (required) Example: 83523194b70919672b1157bc929ed67a
ID of the template

Request Change comment

HideShow

Body

{
  "login_session_id": "JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVX",
  "comment": "my new comment"
}

Response 200

HideShow

Body

null

Request Fill auth template

HideShow

Body

{
  "login_session_id": "LRvql8GD946V7ryN8fesWBLhN1I7dpEe",
  "enroll_process_id": "l6ZuWroRSKCpmTEMS3ChIlzf9oyaR6NW",
  "comment": "12345"
}

Response 200

HideShow

Body

null

Unlink user and template: ¶

Unlink user and template:
DELETE`/api/v1/users/{user_id}/templates/{auth_t_id}?login_session_id={login_session_id}`

Template is deleted if logged_session_id is of template owner, otherwise - remains in db. It is possible that template become orphan in case when admin unlinks template and it is not linked with any user anymore.

Example URI

DELETE /api/v1/users/4f34e2882991440ddd0fd515e0d0236c/templates/83523194b70919672b1157bc929ed67a?login_session_id=JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVX

URI Parameters

HideShow

user_id: string (required) Example: 4f34e2882991440ddd0fd515e0d0236c
ID of the user
auth_t_id: string (required) Example: 83523194b70919672b1157bc929ed67a
ID of the template
login_session_id: string (required) Example: JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVX
ID of the login session

Response 200

HideShow

Body

null

Users ¶

User lookup by given user name.

Requires logged_session_id. Logged user must be member of FULL ADMINS or ENROLL ADMINS.

User lookup by given user name: ¶

User lookup by given user name:
GET`/api/v1/users?user_name={user_name}&login_session_id={login_session_id}`

Example URI

GET /api/v1/users?user_name=LOCAL\ADMIN&login_session_id=JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVX

URI Parameters

HideShow

user_name: string (required) Example: LOCAL\ADMIN
User name
login_session_id: string (required) Example: JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVX
ID of the login session

Response 200

HideShow

Body

{
      "obj_id": "3caa08a0061e11e6b224080027983191",
      "user_name": "LOCAL\ADMIN",
      "last_fail_at": null,
      "repo_id": "3c9c1fd8061e11e6b224080027983191",
      "repo_name": "LOCAL",
      "id": "4f34e2882991440ddd0fd515e0d0236c",
      "loginame": "ADMIN"
    }

Cookie and Ticket services ¶

Generate cookie value: ¶

Generate cookie value:
POST`/api/v1/cookies`

Use login_session_id to generate cookie for this session Will return json body with cookie_value and server_id also will return header with same values as cookie Server_id for single-node configuration is null.

Example URI

POST /api/v1/cookies

Request Generate cookie

HideShow

Body

{
  "login_session_id": "B3XBHzwAHuPfHwMHfSjf3eVdV3glCa0o"
}

Response 200

HideShow

Headers

Set-Cookie: 'server_id=; Max-Age=0; Path=/; expires=Wed, 31-Dec-97 23:59:59 GMT; secure; HttpOnly, cookie_value=300e82d5d1f31108cd064155728c1dda; Path=/; secure; HttpOnly'

Body

{
  "server_id": null,
  "cookie_value": "300e82d5d1f31108cd064155728c1dda"
}

Verify cookie value: ¶

Verify cookie value:
GET`/api/v1/cookies/{cookie_value}?server_id={server_id}`

Use cookie value and server_id from cookie-generation method. Will return logon session if cookie is valid. If you send server_id from other server to current server then current server will redirect request to first server.

Example URI

GET /api/v1/cookies/a23as...34ff?server_id=a23as...34ff

URI Parameters

HideShow

cookie_value: hex string (optional) Example: a23as...34ff
Cookie value
server_id: hex string (optional) Example: a23as...34ff
Server id

Response 200

HideShow

Body

{
    "user_id": "4f34e2882991440ddd0fd515e0d0236c",
    "user_name": "LOCAL\ADMIN",
    "sid": "GKWrJUBaeBA20KHzHAcmzihNrOgdXooh",
    "repo_id": "3c9c1fd8061e11e6b224080027983191",
    "repo_obj_id": "3caa08a0061e11e6b224080027983191",
    "event_name": "",
    "data_id": ""
}

Generate ticket value: ¶

Generate ticket value:
GET`/api/v1/tickets?login_session_id={login_session_id}&target_endpoint_id={target_endpoint_id}&target_endpoint_name={target_endpoint_name}`

Use login_session_id to generate ticket for this session To encrypt session data server need target endpoint secret so to generate ticket provide target_endpoint_id or target_endpoint_name It returns json body with encrypted ‘login_session_data’. Data is encrypted by AES with 32 bytes length key by CBC. Key is equal to target endpoint secret. Use it to decrypt data

Example URI

GET /api/v1/tickets?login_session_id=B3XBHzwAHuPfHwMHfSjf3eVdV3glCa0o&target_endpoint_id=a23as...34ff&target_endpoint_name=endpoint name

URI Parameters

HideShow

target_endpoint_id: hex string (optional) Example: a23as...34ff
Endpoint id
target_endpoint_name: string (optional) Example: endpoint name
Endpoint name
login_session_id: string (required) Example: B3XBHzwAHuPfHwMHfSjf3eVdV3glCa0o
Login session id

Response 200

HideShow

Body

{
  "login_session_data": "296e9f9d8c19d7f9f....2a674855e3f574cb9e272bf68"
}

Chain image ¶

Provides chain images. This API is not restricted by endpoint/logon session.

Load chain image: ¶

Load chain image:
GET`/api/v1/chain_image/`

Do not worry about image cache invalidation, possible to cache forever. When admin uploads new image of the chain, ‘chain.image_name’ changes.

Returns:

PNG file, with appropriate content-type and cache settings. You may use it in src attribute of html image.

Returns default image if image_name does not exist.

Example URI

GET /api/v1/chain_image/

URI Parameters

HideShow

image_name: `PASSWORD_1.png`: string (optional)
Image name it’s provided by logon resource

Status ¶

Read server status and version. Requires endpoint_session_id to read version.

Get server status and version: ¶

Get server status and version:
GET`/api/v1/status`

External monitors may check this URL as health indicator. Does not check that database is up and status of the license. Checks that the server is reachable and the web service is running.

Example URI

GET /api/v1/status

Response 200

HideShow

Body

{
  "status": "OK",
  "multitenancy_mode": false
  "version": "5.4"
}

Read exact server version, check license and FIPS mode state: ¶

Read exact server version, check license and FIPS mode state:
POST`/api/v1/status`

Returns HTTP code 200 only in case everything is OK. Checks the license of tenant_name (“TOP”, by default). Returns HTTP code 555 if NO_LICENSE. Returns exact version number. External monitors may check this URL as health indicator.

Example URI

POST /api/v1/status

Request

HideShow

Body

{
     "endpoint_session_id": "PefYcnXk8QnqtYxXoaZjKES4pVrLaKzI"
     "tenant_name": "TOP"  # optional
}

Response 200

HideShow

Body

{
    "status": "OK/NO_LICENSE",
    "multitenancy_mode": false
    "fips_mode": false
    "version": "5.4-108",
}

Methods ¶

Do PASSWORD:1 enroll: ¶

Do PASSWORD:1 enroll:
POST`/api/v1/enroll/{enroll_process_id}/do_enroll`

PASSWORD:1 enroll steps:

Send request with password to do_enroll and check status

Error reasons:

PASSWORD_BAD_CONFIRMATION
PASSWORD_EMPTY
PASSWORD_UNCHANGED
PASSWORD_TOO_SHORT
PASSWORD_TOO_SIMPLE

Example URI

POST /api/v1/enroll/JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVX/do_enroll

URI Parameters

HideShow

enroll_process_id: string (required) Example: JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVX
ID of the enroll process

Request Correct request

HideShow

Body

{
  "login_session_id": "rBT79CAz8AWh1o920OrHumx32iaToCU9",
  "response": {
    "password": "super_password"
  }
}

Response 200

HideShow

Body

{
  "reason": "",
  "method_id": "PASSWORD:1",
  "status": "OK",
  "msg": ""
}

Do PASSWORD:1 logon: ¶

Do PASSWORD:1 logon:
POST`/api/v1/logon/{logon_process_id}/do_logon`

PASSWORD:1 logon steps:

Send password to do_logon and check status

Error reasons:

PASSWORD_UNDEFINED
PASSWORD_WRONG
PASSWORD_EXPIRED

Example URI

POST /api/v1/logon/TTPeglOJxUZ3R8IV3e5vwUgUQACs8fBS/do_logon

URI Parameters

HideShow

logon_process_id: 32 symbol id (required) Example: TTPeglOJxUZ3R8IV3e5vwUgUQACs8fBS
ID of the logon process

Request Simple virtual password doLogon

HideShow

Body

{
  "endpoint_session_id": "P7p3JJuenqo0SnyJ4HnbRbbJIqDhtt0u",
  "response": {
    "answer": "my-password"
  }
}

Response 200

HideShow

Body

{
  "user_id": "4f34e2882991440ddd0fd515e0d0236c",
  "completed_methods": [
    "PASSWORD:1"
  ],
  "repo_id": "3c9c1fd8061e11e6b224080027983191",
  "status": "OK",
  "repo_obj_id": "3caa08a0061e11e6b224080027983191",
  "event_data_id": "",
  "logon_process_id": "jImh3267QFyZ9pXjSGPj5EIhpKKU8Xu9",
  "user_name": "LOCAL\ADMIN",
  "login_session_id": "TmPxkC98vF4FGhDvqedjXItbmGjVJYTD",
  "plugins": [],
  "event_name": "",
  "chains": [
    {
      "name": "TEST CHAIN",
      "position": 1000,
      "id_hex": null,
      "apply_for_ep_owner": false,
      "required_chain_id_hex": null,
      "methods": [
        "ANY"
      ],
      "short_name": "",
      "image_name": "ANY.png",
      "is_trusted": null,
      "is_enabled": true,
      "grace_period": null
    }
  ],
  "current_method": "PASSWORD:1",
  "msgid": "AUCORE-2001",
  "msg": "Welcome!",
  "data_id": ""
}

Do EMERG_PASSWORD:1 enroll: ¶

Do EMERG_PASSWORD:1 enroll:
POST`/api/v1/enroll/{enroll_process_id}/do_enroll`

EMERG_PASSWORD:1 enroll steps:

Send request with password to do_enroll and check status

Example URI

POST /api/v1/enroll/JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVX/do_enroll

URI Parameters

HideShow

enroll_process_id: string (required) Example: JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVX
ID of the enroll process

Request Correct request

HideShow

Body

{
  "login_session_id": "rBT79CAz8AWh1o920OrHumx32iaToCU9",
  "response": {
    "password": "emerg_password"
  }
}

Response 200

HideShow

Body

{
  "reason": "",
  "method_id": "EMERG_PASSWORD:1",
  "status": "OK",
  "msg": ""
}

Do EMERG_PASSWORD:1 logon: ¶

Do EMERG_PASSWORD:1 logon:
POST`/api/v1/logon/{logon_process_id}/do_logon`

EMERG_PASSWORD:1 logon steps:

Send password to do_logon and check status

Error reasons:

EMERG_PASSWORD_EXPIRED
EMERG_PASSWORD_INEFFECTIVE
EMERG_PASSWORD_EXHAUSTED

Example URI

POST /api/v1/logon/TTPeglOJxUZ3R8IV3e5vwUgUQACs8fBS/do_logon

URI Parameters

HideShow

logon_process_id: 32 symbol id (required) Example: TTPeglOJxUZ3R8IV3e5vwUgUQACs8fBS
ID of the logon process

Request Emergency password doLogon

HideShow

Body

{
  "endpoint_session_id": "P7p3JJuenqo0SnyJ4HnbRbbJIqDhtt0u",
  "response": {
    "answer": "my-emergency-password"
  }
}

Response 200

HideShow

Body

{
  "user_id": "4f34e2882991440ddd0fd515e0d0236c",
  "completed_methods": [
    "EMERG_PASSWORD:1"
  ],
  "repo_id": "3c9c1fd8061e11e6b224080027983191",
  "status": "OK",
  "repo_obj_id": "3caa08a0061e11e6b224080027983191",
  "event_data_id": "",
  "logon_process_id": "jImh3267QFyZ9pXjSGPj5EIhpKKU8Xu9",
  "user_name": "LOCAL\ADMIN",
  "login_session_id": "TmPxkC98vF4FGhDvqedjXItbmGjVJYTD",
  "plugins": [],
  "event_name": "",
  "chains": [
    {
      "name": "TEST CHAIN",
      "position": 1000,
      "id_hex": null,
      "apply_for_ep_owner": false,
      "required_chain_id_hex": null,
      "methods": [
        "ANY"
      ],
      "short_name": "",
      "image_name": "ANY.png",
      "is_trusted": null,
      "is_enabled": true,
      "grace_period": null
    }
  ],
  "current_method": "EMERG_PASSWORD:1",
  "msgid": "AUCORE-2001",
  "msg": "Welcome!",
  "data_id": ""
}

Do LDAP_PASSWORD:1 enroll: ¶

Do LDAP_PASSWORD:1 enroll:
POST`/api/v1/enroll/{enroll_process_id}/do_enroll`

LDAP_PASSWORD:1 enroll steps:

Send empty request to do_enroll and check status

Example URI

POST /api/v1/enroll/JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVX/do_enroll

URI Parameters

HideShow

enroll_process_id: string (required) Example: JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVX
ID of the enroll process

Request LDAP_PASSWORD:1 enroll

HideShow

Body

{
  "login_session_id": "IxJq1C5Gt6VxGeF65YjKl5R99Q70Lf9H"
}

Response 200

HideShow

Body

{
  "reason": "",
  "method_id": "LDAP_PASSWORD:1",
  "status": "OK",
  "msg": ""
}

Do LDAP_PASSWORD:1 logon: ¶

Do LDAP_PASSWORD:1 logon:
POST`/api/v1/logon/{logon_process_id}/do_logon`

LDAP_PASSWORD:1 logon steps:

Send password to do_logon and check status

Error reasons:

LDAP_PASSWORD_UNDEFINED
LDAP_PASSWORD_WRONG
LDAP_PASSWORD_ACCOUNT_RESTRICTION
LDAP_PASSWORD_INVALID_LOGON_HOURS
LDAP_PASSWORD_INVALID_WORKSTATION
LDAP_PASSWORD_ACCOUNT_DISABLED
LDAP_PASSWORD_TOO_MANY_CONTEXT_IDS
LDAP_PASSWORD_ACCOUNT_EXPIRED
LDAP_PASSWORD_MUST_CHANGE
LDAP_PASSWORD_ACCOUNT_LOCKED_OUT

Example URI

POST /api/v1/logon/jImh3267QFyZ9pXjSGPj5EIhpKKU8Xu9/do_logon

URI Parameters

HideShow

logon_process_id: 32 symbol id (required) Example: jImh3267QFyZ9pXjSGPj5EIhpKKU8Xu9
ID of the logon process

Request Simple ldap password doLogon

HideShow

Body

{
  "endpoint_session_id": "P7p3JJuenqo0SnyJ4HnbRbbJIqDhtt0u",
  "response": {
    "answer": "my-ldap-password"
  }
}

Response 200

HideShow

Body

{
  "user_id": "4f34e2882991440ddd0fd515e0d0236c",
  "completed_methods": [
    "LDAP_PASSWORD:1"
  ],
  "repo_id": "3c9c1fd8061e11e6b224080027983191",
  "status": "OK",
  "repo_obj_id": "3caa08a0061e11e6b224080027983191",
  "event_data_id": "",
  "logon_process_id": "jImh3267QFyZ9pXjSGPj5EIhpKKU8Xu9",
  "user_name": "LOCAL\ADMIN",
  "login_session_id": "TmPxkC98vF4FGhDvqedjXItbmGjVJYTD",
  "plugins": [],
  "event_name": "",
  "chains": [
    {
      "name": "TEST CHAIN",
      "position": 1000,
      "id_hex": null,
      "apply_for_ep_owner": false,
      "required_chain_id_hex": null,
      "methods": [
        "ANY"
      ],
      "short_name": "",
      "image_name": "ANY.png",
      "is_trusted": null,
      "is_enabled": true,
      "grace_period": null
    }
  ],
  "current_method": "LDAP_PASSWORD:1",
  "msgid": "AUCORE-2001",
  "msg": "Welcome!",
  "data_id": ""
}

Do TOTP:1 enroll: ¶

Do TOTP:1 enroll:
POST`/api/v1/enroll/{enroll_process_id}/do_enroll`

TOTP:1 enroll steps:

Send request with secret to do_enroll and check status

Error reasons:

TOTP_SCAN_QR

TOTP auth_template is shared secret and acceptance period (oath default is 30 sec)

Request fields:

secret, hex or base32 string
is_base32_secret, optional, default False
period, optional, default 30
otp_format, optional, one of [dec4, dec6, dec7, dec8]
hash, optional, one of hashlib.algorithms_guaranteed

Example URI

POST /api/v1/enroll/JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVX/do_enroll

URI Parameters

HideShow

enroll_process_id: string (required) Example: JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVX
ID of the enroll process

Request Correct request

HideShow

Body

{
  "login_session_id": "rBT79CAz8AWh1o920OrHumx32iaToCU9",
  "response": {
    "secret": "0000000000000100"
  }
}

Response 200

HideShow

Body

{
  "reason": "",
  "method_id": "TOTP:1",
  "status": "OK",
  "msg": ""
}

Do TOTP:1 logon: ¶

Do TOTP:1 logon:
POST`/api/v1/logon/{logon_process_id}/do_logon`

TOTP:1 logon steps:

Send otp-password to do_logon and check status

Error reasons:

TOTP_PASSWORD_UNDEFINED
TOTP_WAIT_MINUTE
TOTP_PASSWORD_WRONG

Example URI

POST /api/v1/logon/f0fzSCkoGcCFMJTDRalx5nnsC9zEYHBQ/do_logon

URI Parameters

HideShow

logon_process_id: 32 symbol id (required) Example: f0fzSCkoGcCFMJTDRalx5nnsC9zEYHBQ
ID of the logon process

Request Simple TOTP password doLogon

HideShow

Body

{
  "endpoint_session_id": "P7p3JJuenqo0SnyJ4HnbRbbJIqDhtt0u",
  "response": {
    "answer": "123456"
  }
}

Response 200

HideShow

Body

{
    "event_data_id": "",
    "msgid": "AUCORE-2001",
    "logon_process_id": "f0fzSCkoGcCFMJTDRalx5nnsC9zEYHBQ",
    "login_session_id": "9QHUl8xbBNo4PUO6UXYzbHltNaMmNpSL",
    "current_method": "TOTP:1",
    "chains": [
    {
      "position": 1000,
      "short_name": "",
      "grace_period": null,
      "methods": [
        "ANY"
      ],
      "is_enabled": true,
      "name": "TEST CHAIN",
      "id_hex": null,
      "required_chain_id_hex": null,
      "is_trusted": null,
      "apply_for_ep_owner": false,
      "image_name": "ANY.png"
    }
    ],
    "repo_obj_id": "c0fd1ab20b0e11e6b224080027983191",
    "plugins": [],
    "msg": "Welcome!",
    "status": "OK",
    "user_id": "84a0a279d391de4b2fd70ea38b46d3ce",
    "data_id": "",
    "event_name": "",
    "repo_id": "c0eeb0ee0b0e11e6b224080027983191",
    "completed_methods": [
    "TOTP:1"
    ],
    "user_name": "LOCAL\ADMIN"
}

Do HOTP:1 enroll: ¶

Do HOTP:1 enroll:
POST`/api/v1/enroll/{enroll_process_id}/do_enroll`

HOTP:1 enroll steps:

Send request with secret and counter (or 3 hotp and secret) to do_enroll and check status

Remember user device (smartphone etc.) HOTP secret and algoritm parameters

HOTP auth_template is shared secret and starting counter

Request fields:

secret, hex string, required
counter, integer, required
hash, optional, one of hashlib.algorithms_guaranteed
token_public_id, optional, Yubikey tokens can be configured to insert their public ID before OTP

hotp1, hotp2, hotp3, consecutive otp password, required
secret, hex string, required
hash, optional, one of hashlib.algorithms_guaranteed
token_public_id, optional, Yubikey tokens can be configured to insert their public ID before OTP

Example URI

POST /api/v1/enroll/JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVX/do_enroll

URI Parameters

HideShow

enroll_process_id: string (required) Example: JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVX
ID of the enroll process

Request Correct request with secret and counter

HideShow

Body

{
  "login_session_id": "rBT79CAz8AWh1o920OrHumx32iaToCU9",
  "response": {
    "secret": "0000000000000100",
    "counter": 10
  }
}

Response 200

HideShow

Body

{
  "reason": "",
  "method_id": "HOTP:1",
  "status": "OK",
  "msg": ""
}

Request Correct request with hotps

HideShow

Body

{
    "login_session_id":"rBT79CAz8AWh1o920OrHumx32iaToCU9",
    "response":{
           "secret": "0000000000000100",
            "hotp1": "472265",
            "hotp2": "194708"
            "hotp3": "468067"
            }
}

Response 200

HideShow

Body

{
  "reason": "",
  "method_id": "HOTP:1",
  "status": "OK",
  "msg": ""
}

Do HOTP:1 logon: ¶

Do HOTP:1 logon:
POST`/api/v1/logon/{logon_process_id}/do_logon`

HOTP:1 logon steps:

Send otp-password to do_logon and check status

Error reasons:

HOTP_PASSWORD_WRONG
HOTP_PASSWORD_UNDEFINED

Example URI

POST /api/v1/logon/fae8kchtfY2p2t3W0OWrCS3UHu3nf6eM/do_logon

URI Parameters

HideShow

logon_process_id: 32 symbol id (required) Example: fae8kchtfY2p2t3W0OWrCS3UHu3nf6eM
ID of the logon process

Request Simple HOTP password doLogon

HideShow

Body

{
  "endpoint_session_id": "P7p3JJuenqo0SnyJ4HnbRbbJIqDhtt0u",
  "response": {
    "answer": "123456"
  }
}

Response 200

HideShow

Body

{
    "event_data_id": "",
    "msgid": "AUCORE-2001",
    "logon_process_id": "fae8kchtfY2p2t3W0OWrCS3UHu3nf6eM",
    "login_session_id": "iCFCUvGVK9zlDQtWa018UWKUwuNHEYcn",
    "current_method": "HOTP:1",
    "chains": [
    {
      "position": 1000,
      "short_name": "",
      "grace_period": null,
      "methods": [
        "ANY"
      ],
      "is_enabled": true,
      "name": "TEST CHAIN",
      "id_hex": null,
      "required_chain_id_hex": null,
      "is_trusted": null,
      "apply_for_ep_owner": false,
      "image_name": "ANY.png"
    }
    ],
    "repo_obj_id": "c0fd1ab20b0e11e6b224080027983191",
    "plugins": [],
    "msg": "Welcome!",
    "status": "OK",
    "user_id": "84a0a279d391de4b2fd70ea38b46d3ce",
    "data_id": "",
    "event_name": "",
    "repo_id": "c0eeb0ee0b0e11e6b224080027983191",
    "completed_methods": [
    "HOTP:1"
    ],
    "user_name": "LOCAL\ADMIN"
    }

Do SMS_OTP:1 enroll: ¶

Do SMS_OTP:1 enroll:
POST`/api/v1/enroll/{enroll_process_id}/do_enroll`

SMS_OTP:1 enroll steps:

Send empty request to do_enroll and check status

Example URI

POST /api/v1/enroll/JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVX/do_enroll

URI Parameters

HideShow

enroll_process_id: string (required) Example: JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVX
ID of the enroll process

Request Correct request

HideShow

Body

{
  "login_session_id": "rBT79CAz8AWh1o920OrHumx32iaToCU9"
}

Response 200

HideShow

Body

{
  "reason": "",
  "method_id": "SMS_OTP:1",
  "status": "OK",
  "msg": ""
}

Do SMS_OTP:1 logon: ¶

Do SMS_OTP:1 logon:
POST`/api/v1/logon/{logon_process_id}/do_logon`

SMS_OTP:1 logon steps:

Send empty request to do_logon to send sms
Send request with password from received sms to do_logon and check status

Error reasons:

OTP_CANNOT_SEND
OTP_TOO_MANY_SENT
OTP_WAITING_PASSWORD
OTP_NO_PASSWORD
OTP_PASSWORD_EXPIRED
OTP_WRONG_PASSWORD
OTP_TOO_MANY_REQUESTS

Example URI

POST /api/v1/logon/T3Hc3fwHIN4pyJ9gEBaWC416gKRTANQv/do_logon

URI Parameters

HideShow

logon_process_id: 32 symbol id (required) Example: T3Hc3fwHIN4pyJ9gEBaWC416gKRTANQv
ID of the logon process

Request 1. Send message to user

HideShow

Body

{
  "endpoint_session_id": "eRPr3yB92MgYySHk8I8yj5twuuf3PAUa"
}

Response 200

HideShow

Body

{
  "event_name": "",
  "current_method": "SMS_OTP:1",
  "reason": "OTP_WAITING_PASSWORD",
  "msgid": "AUCORE-2012",
  "completed_methods": [],
  "logon_process_id": "T3Hc3fwHIN4pyJ9gEBaWC416gKRTANQv",
  "plugins": [],
  "status": "MORE_DATA",
  "event_data_id": "",
  "msg": "OTP password sent, please enter",
  "chains": [
    {
      "short_name": "",
      "position": 1000,
      "id_hex": null,
      "required_chain_id_hex": null,
      "is_trusted": null,
      "image_name": "ANY.png",
      "is_enabled": true,
      "methods": [
        "ANY"
      ],
      "name": "TEST CHAIN",
      "apply_for_ep_owner": false,
      "grace_period": null
    }
  ]
}

Request 2. Enter password from SMS

HideShow

Body

{
  "endpoint_session_id": "eRPr3yB92MgYySHk8I8yj5twuuf3PAUa",
  "response": {
    "answer": "246635"
  }
}

Response 200

HideShow

Body

{
    "user_id": "dfd5acc4dc8fdb8c712d8b9c8e8a10ad",
    "user_name": "LDS\Admin",
    "data_id": "",
    "event_data_id": "",
    "status": "OK",
    "msgid": "AUCORE-2001",
    "completed_methods": ["SMS_OTP:1"],
    "msg": "Welcome!",
    "repo_id": "4c8449de0c4f11e6b18c080027983191",
    "event_name": "",
    "chains": [
        {
            "short_name": "",
            "position": 1000,
            "id_hex": null,
            "required_chain_id_hex": null,
            "is_trusted": null,
            "image_name": "ANY.png",
            "is_enabled": true,
            "methods": ["ANY"],
            "name": "TEST CHAIN",
            "apply_for_ep_owner": false,
            "grace_period": null
        }
    ],
    "repo_obj_id": "11a2916c4521e14e83ad19b0165311d1",
    "user_mobile_phone": ["+12345678901"],
    "current_method": "SMS_OTP:1",
    "user_sid_hex": "0105000016ef19f498f9c6c5e52ce57b56b2314ba46e9bdd41d24e5d",
    "user_cn": "Admin",
    "logon_process_id": "T3Hc3fwHIN4pyJ9gEBaWC416gKRTANQv",
    "plugins": [],
    "user_sid": "S-1-384768500-3318151576-2078616805-1261548118-3717951140-1565446721",
    "login_session_id": "HG72YHJloobSOVuIQAobht2tSeSnvl6Z",
    "user_dn": "CN=Admin,CN=test"
}

Request 3. Enter password from SMS unsuccessfully

HideShow

Body

{
  "endpoint_session_id": "eRPr3yB92MgYySHk8I8yj5twuuf3PAUa",
  "response": {
    "answer": "795191"
  }
}

Response 200

HideShow

Body

{
  "msg": "Wrong answer. Please try again",
  "reason": "OTP_WRONG_PASSWORD",
  "current_method": "SMS_OTP:1",
  "plugins": [],
  "status": "MORE_DATA",
  "chains": [
    {
      "short_name": "",
      "id_hex": null,
      "is_enabled": true,
      "position": 1000,
      "image_name": "ANY.png",
      "methods": [
        "ANY"
      ],
      "required_chain_id_hex": null,
      "name": "TEST CHAIN",
      "grace_period": null,
      "apply_for_ep_owner": false,
      "is_trusted": null
    }
  ],
  "event_data_id": "",
  "event_name": "",
  "logon_process_id": "T3Hc3fwHIN4pyJ9gEBaWC416gKRTANQv",
  "msgid": "AUCORE-2015",
  "completed_methods": []
}

Do EMAIL_OTP:1 enroll: ¶

Do EMAIL_OTP:1 enroll:
POST`/api/v1/enroll/{enroll_process_id}/do_enroll`

EMAIL_OTP:1 enroll steps:

Send empty request to do_enroll and check status

Example URI

POST /api/v1/enroll/JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVX/do_enroll

URI Parameters

HideShow

enroll_process_id: string (required) Example: JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVX
ID of the enroll process

Request Correct request

HideShow

Body

{
  "login_session_id": "rBT79CAz8AWh1o920OrHumx32iaToCU9"
}

Response 200

HideShow

Body

{
  "reason": "",
  "method_id": "EMAIL_OTP:1",
  "status": "OK",
  "msg": ""
}

Do EMAIL_OTP:1 logon: ¶

Do EMAIL_OTP:1 logon:
POST`/api/v1/logon/{logon_process_id}/do_logon`

EMAIL_OTP:1 logon steps:

Send empty request to do_logon to send email
Send request with password from received email to do_logon and check status

Error reasons:

OTP_CANNOT_SEND
OTP_TOO_MANY_SENT
OTP_WAITING_PASSWORD
OTP_NO_PASSWORD
OTP_PASSWORD_EXPIRED
OTP_WRONG_PASSWORD
OTP_TOO_MANY_REQUESTS

Example URI

POST /api/v1/logon/DjCTzG4tuJdwTmdWhtkbUggbertp2d6E/do_logon

URI Parameters

HideShow

logon_process_id: 32 symbol id (required) Example: DjCTzG4tuJdwTmdWhtkbUggbertp2d6E
ID of the logon process

Request 1. Send message to user

HideShow

Body

{
  "endpoint_session_id": "caclPKkiAOkbwUMyX6kvMlIVtOdMwgvW"
}

Response 200

HideShow

Body

{
  "event_name": "",
  "current_method": "EMAIL_OTP:1",
  "reason": "OTP_WAITING_PASSWORD",
  "msgid": "AUCORE-2012",
  "completed_methods": [],
  "logon_process_id": "DjCTzG4tuJdwTmdWhtkbUggbertp2d6E",
  "plugins": [],
  "status": "MORE_DATA",
  "event_data_id": "",
  "msg": "OTP password sent, please enter",
  "chains": [
    {
      "short_name": "",
      "position": 1000,
      "id_hex": null,
      "required_chain_id_hex": null,
      "is_trusted": null,
      "image_name": "ANY.png",
      "is_enabled": true,
      "methods": [
        "ANY"
      ],
      "name": "TEST CHAIN",
      "apply_for_ep_owner": false,
      "grace_period": null
    }
  ]
}

Request 2. Enter password from Email successfully

HideShow

Body

{
  "endpoint_session_id": "caclPKkiAOkbwUMyX6kvMlIVtOdMwgvW",
  "response": {
    "answer": "795199"
  }
}

Response 200

HideShow

Body

{
    "user_id": "470671fbf0227d268c2cc7d6b756e2c0",
    "user_name": "LDS\Admin",
    "data_id": "",
    "event_data_id": "",
    "status": "OK",
    "msgid": "AUCORE-2001",
    "completed_methods": ["EMAIL_OTP:1"],
    "msg": "Welcome!",
    "repo_id": "d65f2f4e0c4e11e6b18c080027983191",
    "event_name": "",
    "user_email": "test@localhost",
    "repo_obj_id": "11a2916c4521e14e83ad19b0165311d1",
    "current_method": "EMAIL_OTP:1",
    "user_sid_hex": "0105000016ef19f498f9c6c5e52ce57b56b2314ba46e9bdd41d24e5d",
    "chains": [
        {
            "short_name": "",
            "position": 1000,
            "id_hex": null,
            "required_chain_id_hex": null,
            "is_trusted": null,
            "image_name": "ANY.png",
            "is_enabled": true,
            "methods": ["ANY"],
            "name": "TEST CHAIN",
            "apply_for_ep_owner": false,
            "grace_period": null
        }
    ],
    "user_cn": "Admin",
    "logon_process_id": "DjCTzG4tuJdwTmdWhtkbUggbertp2d6E",
    "plugins": [],
    "user_sid": "S-1-384768500-3318151576-2078616805-1261548118-3717951140-1565446721",
    "login_session_id": "VqtNECMXwMIRDLqbOFG8pBbTbG8lfSTT",
    "user_dn": "CN=Admin,CN=test"
}

Request 3. Enter password from Email unsuccessfully

HideShow

Body

{
  "endpoint_session_id": "caclPKkiAOkbwUMyX6kvMlIVtOdMwgvW",
  "response": {
    "answer": "795191"
  }
}

Response 200

HideShow

Body

{
  "msg": "Wrong answer. Please try again",
  "reason": "OTP_WRONG_PASSWORD",
  "current_method": "EMAIL_OTP:1",
  "plugins": [],
  "status": "MORE_DATA",
  "chains": [
    {
      "short_name": "",
      "id_hex": null,
      "is_enabled": true,
      "position": 1000,
      "image_name": "ANY.png",
      "methods": [
        "ANY"
      ],
      "required_chain_id_hex": null,
      "name": "TEST CHAIN",
      "grace_period": null,
      "apply_for_ep_owner": false,
      "is_trusted": null
    }
  ],
  "event_data_id": "",
  "event_name": "",
  "logon_process_id": "DjCTzG4tuJdwTmdWhtkbUggbertp2d6E",
  "msgid": "AUCORE-2015",
  "completed_methods": []
}

Do RADIUS:1 enroll: ¶

Do RADIUS:1 enroll:
POST`/api/v1/enroll/{enroll_process_id}/do_enroll`

RADIUS:1 enroll steps:

Send request with fields bellow to do_enroll and check status

Request fields:

user_name (optional) - send to RADIUS instead of user.user_name
send_reponame (optional) - send ‘repository_name\peter’, not just ‘peter’

Example URI

POST /api/v1/enroll/JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVX/do_enroll

URI Parameters

HideShow

enroll_process_id: string (required) Example: JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVX
ID of the enroll process

Request Radius enroll

HideShow

Body

{
  "login_session_id": "rBT79CAz8AWh1o920OrHumx32iaToCU9"
}

Response 200

HideShow

Body

{
  "reason": "",
  "method_id": "RADIUS:1",
  "status": "OK",
  "msg": ""
}

Do RADIUS:1 logon: ¶

Do RADIUS:1 logon:
POST`/api/v1/logon/{logon_process_id}/do_logon`

RADIUS:1 logon steps:

Send password to do_logon and check status

Error reasons:

RADIUS_WRONG_PASSWORD

Example URI

POST /api/v1/logon/TTPeglOJxUZ3R8IV3e5vwUgUQACs8fBS/do_logon

URI Parameters

HideShow

logon_process_id: 32 symbol id (required) Example: TTPeglOJxUZ3R8IV3e5vwUgUQACs8fBS
ID of the logon process

Request Radius password doLogon

HideShow

Body

{
  "endpoint_session_id": "P7p3JJuenqo0SnyJ4HnbRbbJIqDhtt0u",
  "response": {
    "answer": "my-radius-password"
  }
}

Response 200

HideShow

Body

{
  "user_id": "4f34e2882991440ddd0fd515e0d0236c",
  "completed_methods": [
    "EMERG_PASSWORD:1"
  ],
  "repo_id": "3c9c1fd8061e11e6b224080027983191",
  "status": "OK",
  "repo_obj_id": "3caa08a0061e11e6b224080027983191",
  "event_data_id": "",
  "logon_process_id": "jImh3267QFyZ9pXjSGPj5EIhpKKU8Xu9",
  "user_name": "LOCAL\ADMIN",
  "login_session_id": "TmPxkC98vF4FGhDvqedjXItbmGjVJYTD",
  "plugins": [],
  "event_name": "",
  "chains": [
    {
      "name": "TEST CHAIN",
      "position": 1000,
      "id_hex": null,
      "apply_for_ep_owner": false,
      "required_chain_id_hex": null,
      "methods": [
        "ANY"
      ],
      "short_name": "",
      "image_name": "ANY.png",
      "is_trusted": null,
      "is_enabled": true,
      "grace_period": null
    }
  ],
  "current_method": "EMERG_PASSWORD:1",
  "msgid": "AUCORE-2001",
  "msg": "Welcome!",
  "data_id": ""
}

Do SECQUEST:1 enroll: ¶

Do SECQUEST:1 enroll:
POST`/api/v1/enroll/{enroll_process_id}/do_enroll`

SECQUEST:1 enroll steps:

Send empty request to do_enroll to receive questions
Send answers to do_enroll and check status

Error reasons:

SECQUEST_WAITING_ANSWERS

Example URI

POST /api/v1/enroll/JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVX/do_enroll

URI Parameters

HideShow

enroll_process_id: string (required) Example: JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVX
ID of the enroll process

Request 1. Get questions

HideShow

Body

{
  "login_session_id": "ySHjXQyPAH1dIXYeq3arbMQd7wyP3mMm"
}

Response 200

HideShow

Body

{
  "msgid": "AUCORE-2046",
  "method_id": "SECQUEST:1",
  "reason": "SECQUEST_WAITING_ANSWERS",
  "status": "MORE_DATA",
  "msg": "Waiting for answers...",
  "questions": {
    "0": "question #0",
    "1": "question #1",
    "2": "question #2",
    "3": "question #3",
    "4": "question #4",
    "5": "question #5",
    "6": "question #6",
    "7": "question #7",
    "8": "question #8",
    "9": "question #9"
  }
}

Request 2. Send answers

HideShow

Body

{
  "response": {
    "answers": {
      "0": "answer #0",
      "1": "answer #1",
      "2": "answer #2",
      "3": "answer #3",
      "4": "answer #4",
      "5": "answer #5",
      "6": "answer #6",
      "7": "answer #7",
      "8": "answer #8",
      "9": "answer #9"
    }
  },
  "login_session_id": "ySHjXQyPAH1dIXYeq3arbMQd7wyP3mMm"
}

Response 200

HideShow

Body

{
  "msg": "",
  "method_id": "SECQUEST:1",
  "reason": "",
  "status": "OK"
}

Do SECQUEST:1 logon: ¶

Do SECQUEST:1 logon:
POST`/api/v1/logon/{logon_process_id}/do_logon`

SECQUEST:1 logon steps:

Send empty request to do_logon to receive questions
Send answers to do_logon and check status

Error reasons:

SECQUEST_WRONG_ANSWERS
SECQUEST_WAITING_ANSWERS

Example URI

POST /api/v1/logon/2rMurbLwdVVmL4MZYnaJQdh1RWV7ekDx/do_logon

URI Parameters

HideShow

logon_process_id: 32 symbol id (required) Example: 2rMurbLwdVVmL4MZYnaJQdh1RWV7ekDx
ID of the logon process

Request 1. Get questions from service

HideShow

Body

{
  "endpoint_session_id": "peSWzJrCY3BH10TaP6nRrZiQy8ahauIt"
}

Response 200

HideShow

Body

{
  "status": "MORE_DATA",
  "plugins": [],
  "event_name": "",
  "chains": [
    {
      "apply_for_ep_owner": false,
      "is_trusted": null,
      "image_name": "ANY.png",
      "short_name": "",
      "id_hex": null,
      "position": 1000,
      "grace_period": null,
      "is_enabled": true,
      "methods": [
        "ANY"
      ],
      "required_chain_id_hex": null,
      "name": "TEST CHAIN"
    }
  ],
  "reason": "SECQUEST_WAITING_ANSWERS",
  "method_id": "SECQUEST:1",
  "questions": {
    "1": "question #1",
    "2": "question #2",
    "3": "question #3",
    "4": "question #4",
    "7": "question #7"
  },
  "msg": "Waiting for answers...",
  "event_data_id": "",
  "msgid": "AUCORE-2046",
  "completed_methods": [],
  "logon_process_id": "2rMurbLwdVVmL4MZYnaJQdh1RWV7ekDx",
  "current_method": "SECQUEST:1"
}

Request 2. Send answers

HideShow

Body

{
  "response": {
    "answers": {
      "1": "answer #1",
      "2": "answer #2",
      "3": "answer #3",
      "4": "answer #4",
      "7": "answer #7"
    }
  },
  "endpoint_session_id": "peSWzJrCY3BH10TaP6nRrZiQy8ahauIt"
}

Response 200

HideShow

Body

{
    "user_name": "LOCAL\ADMIN",
    "plugins": [],
    "logon_process_id": "2rMurbLwdVVmL4MZYnaJQdh1RWV7ekDx",
    "user_id": "bdb2b894ce176333bf70a35f1f961126",
    "msgid": "AUCORE-2001",
    "repo_obj_id": "46dfef2c0c7411e687c1080027983191",
    "status": "OK",
    "event_data_id": "",
    "event_name": "",
    "msg": "Welcome!",
    "current_method": "SECQUEST:1",
    "chains": [
        {
            "apply_for_ep_owner": false,
            "is_trusted": null,
            "image_name": "ANY.png",
            "short_name": "",
            "id_hex": null,
            "position": 1000,
            "grace_period": null,
            "is_enabled": true,
            "methods": ["ANY"],
            "required_chain_id_hex": null,
            "name": "TEST CHAIN"
        }
    ],
    "login_session_id": "doB7cTIWcAaE5tAIar6VnPPnKKf5wHdN",
    "repo_id": "46dac56a0c7411e687c1080027983191",
    "data_id": "",
    "completed_methods": ["SECQUEST:1"]
}

Do U2F:1 enroll: ¶

Do U2F:1 enroll:
POST`/api/v1/enroll/{enroll_process_id}/do_enroll`

U2F:1 enroll steps:

Ask server for registerRequests by sending empty request to do_enroll
Forward registerRequests and signRequests to JSAPI, get registerResponse and forward to server to do_enroll
Check status of received response

Error reasons:

U2F_WAITING_REG_RESPONSE
U2F_NOT_ATTESTED

U2F AP uses camelCasing for parameters. Chrome JS-API (u2f.js) uses this scheme. You simply forward objects such as SignRequest to/from AP and JS-API.

How to build APPID from inside browser:

function getOriginFromUrl(url) {
  var re = new RegExp('^(https?://)[^/]*/?');
  var originarray = re.exec(url);
  if (originarray == null) return originarray;
  var origin = originarray[0];
  while (origin.charAt(origin.length - 1) == '/') {
    origin = origin.substring(0, origin.length - 1);
  }
  if (origin == 'http:' || origin == 'https:')
    return null;
  return origin;
}

var appId = getOriginFromUrl(window.location);

Example URI

POST /api/v1/enroll/JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVX/do_enroll

URI Parameters

HideShow

enroll_process_id: string (required) Example: JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVX
ID of the enroll process

Request 1. Ask server for registerRequests

HideShow

Body

{
  "response": {
    "userName": "user1"
  },
  "login_session_id": "xTIskntGShVlNfkAUiaZUXE7BR3xToue"
}

Response 200

HideShow

Body

{
  "signRequests": [],
  "registerRequests": [
    {
      "version": "U2F_V2",
      "appId": "https://demo.yubico.com",
      "challenge": "2MSDiW84JXiIfSpUd72XebgBujs2WOA-UmuWzpyUQsk"
    }
  ],
  "method_id": "U2F:1",
  "msgid": "AUCORE-3004",
  "reason": "U2F_WAITING_REG_RESPONSE",
  "status": "MORE_DATA",
  "msg": "Waiting register response"
}

Request 2. Forward registerRequests and signRequests to JSAPI, get registerResponse and forward to server

HideShow

Body

{
  "response": {
    "registerResponse": {
      "registrationData": "BQQ_jNAqemWkTfI9uL4CVo3eQSNIMe66u-pasr8BMuu9maA764C7jDPqXMUWhw8_4tDxeUbM72VJH5fssT6F2vT5QKheRH3Tk0hCuJD94ZRHf0Nkg-JDmLOivamSUeVXvRJaBLOp7N-hhxvoxlChQ-CSzMDqrC7EZ7IqWvl7Ac3xejswggIcMIIBBqADAgECAgRyWMLqMAsGCSqGSIb3DQEBCzAuMSwwKgYDVQQDEyNZdWJpY28gVTJGIFJvb3QgQ0EgU2VyaWFsIDQ1NzIwMDYzMTAgFw0xNDA4MDEwMDAwMDBaGA8yMDUwMDkwNDAwMDAwMFowKzEpMCcGA1UEAwwgWXViaWNvIFUyRiBFRSBTZXJpYWwgMTQ4MDMzMjE1NzgwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASisDmTIlQxnUH6SFTVfKGN62nMmz5Nga45nzI-gRZDme8qlRRnPRV87L-18LzHiQhT7lXPPxogZvTVE5uTizELoxIwEDAOBgorBgEEAYLECgECBAAwCwYJKoZIhvcNAQELA4IBAQG8zBr5C3uVeBjVVaQzcWpgFqztyzEyw0EPNmFkEGwj2SqwbF0cLLaSmtQhSKoqOvOuU4k6aqFAyukyZZMVPZKqAP0Vh0sCMpRMzpDvEZjO3v6gh5Z8bIDmtQAJ5B2nnILyVpc7DA7taj3dUrZzNMD8v-bYjKdTsZJ_QzQstsewIPkoFOIRRtqta0iwkEFiX_cwR11IF-USGcQHKUBoMX65JP9nY6DzQ3XHplOD3bHUOHsCi2MqBZU-1fKOrQJpNP0w8cBQpSk_hsVTm7UiGW_FGrxrIKXfpGfCGICKDxCMfuWKIshu0HjP0pEhowAX1Ls1pie2SoK3-VEhYtkOFRLqMEUCIFnX5ZcO8ZWOKyF6R-tAse3rYdzwFBq4LZzEeXUwn6oMAiEAwNuC4mkjobmeyilaLM4twOAicm-R_x_YKzcQcXIx5cU",
      "clientData": "eyJ0eXAiOiJuYXZpZ2F0b3IuaWQuZmluaXNoRW5yb2xsbWVudCIsImNoYWxsZW5nZSI6IjFNX2hrbkxka0Ixb1hySFQxWUZqSHA5NDRpT2w4N2kwd1B5UUV0MW5DYzQiLCJvcmlnaW4iOiJodHRwczovL2RlbW8ueXViaWNvLmNvbSIsImNpZF9wdWJrZXkiOiIifQ"
    }
  },
  "login_session_id": "xTIskntGShVlNfkAUiaZUXE7BR3xToue"
}

Response 200

HideShow

Body

{
  "reason": "",
  "status": "OK",
  "method_id": "U2F:1",
  "msg": "Enrollment complete",
  "msgid": "AUCORE-3001"
}

Do U2F:1 logon: ¶

Do U2F:1 logon:
POST`/api/v1/logon/{logon_process_id}/do_logon`

U2F:1 logon steps:

Send empty request to do_logon to ask server for signRequests
Forward signRequests to JSAPI, get signResponse, send it to do_logon and check status

Error reasons:

U2F_ALL_TOKENS_COMPROMISED
U2F_NO_TOKENS
U2F_WAITING_AUTH_RESPONSE

Example URI

POST /api/v1/logon/tvV9a4UNEf71yvZDxwJQ179SJnHQndmT/do_logon

URI Parameters

HideShow

logon_process_id: 32 symbol id (required) Example: tvV9a4UNEf71yvZDxwJQ179SJnHQndmT
ID of the logon process

Request 1. Ask server for signRequests

HideShow

Body

{
  "endpoint_session_id": "4CkX5jecFnGrv4wIoP83ADpVORjk7zqZ"
}

Response 200

HideShow

Body

{
  "logon_process_id": "tvV9a4UNEf71yvZDxwJQ179SJnHQndmT",
  "current_method": "U2F:1",
  "reason": "U2F_WAITING_AUTH_RESPONSE",
  "event_data_id": "",
  "msgid": "AUCORE-2059",
  "plugins": [],
  "signRequests": [
    {
      "appId": "https://demo.yubico.com",
      "keyHandle": "qF5EfdOTSEK4kP3hlEd_Q2SD4kOYs6K9qZJR5Ve9EloEs6ns36GHG-jGUKFD4JLMwOqsLsRnsipa-XsBzfF6Ow",
      "version": "U2F_V2",
      "challenge": "NGX54sR5bgHSSJVs7ijQaMi_vV-lz48UqWW-XTlHgX4"
    }
  ],
  "event_name": "TEST",
  "msg": "Waiting for an authentication response",
  "chains": [
    {
      "short_name": "",
      "required_chain_id_hex": null,
      "position": 0,
      "is_enabled": true,
      "methods": [
        "U2F:1"
      ],
      "image_name": "U2F_1.png",
      "grace_period": null,
      "name": "Test-chain",
      "id_hex": "42b312980c8911e69140080027983191",
      "apply_for_ep_owner": false,
      "is_trusted": null
    }
  ],
  "completed_methods": [],
  "status": "MORE_DATA"
}

Request 2. Forward signRequests to JSAPI, get signResponse and forward to server

HideShow

Body

{
  "response": {
    "signResponse": {
      "keyHandle": "qF5EfdOTSEK4kP3hlEd_Q2SD4kOYs6K9qZJR5Ve9EloEs6ns36GHG-jGUKFD4JLMwOqsLsRnsipa-XsBzfF6Ow",
      "signatureData": "AQAAAKowRAIgFrmzsrUHiUw2ixt20cXLjBRDo7-UoqWqZlNsFcXZL4ECIH45ALRE86ijsKPv_r3zmzhoE34N3NqzgvRJ1f49C1UA",
      "clientData": "eyJ0eXAiOiJuYXZpZ2F0b3IuaWQuZ2V0QXNzZXJ0aW9uIiwiY2hhbGxlbmdlIjoiZXYwd3dLR3l5bV9YamdZZkExd2tNT3Y4bGpsOHphS0F5WGdBV3gyUW91OCIsIm9yaWdpbiI6Imh0dHBzOi8vZGVtby55dWJpY28uY29tIiwiY2lkX3B1YmtleSI6IiJ9"
    }
  },
  "endpoint_session_id": "4CkX5jecFnGrv4wIoP83ADpVORjk7zqZ"
}

Response 200

HideShow

Body

{
    "data_id": "",
    "logon_process_id": "tvV9a4UNEf71yvZDxwJQ179SJnHQndmT",
    "current_method": "U2F:1",
    "event_data_id": "",
    "user_id": "3a76753d7f931751c79fa05d80eb058e",
    "repo_id": "42987aa00c8911e69140080027983191",
    "msgid": "AUCORE-2001",
    "plugins": [],
    "repo_obj_id": "42a3962e0c8911e69140080027983191",
    "event_name": "TEST",
    "msg": "Welcome!",
    "chains": [
        {
            "short_name": "",
            "required_chain_id_hex": null,
            "position": 0,
            "is_enabled": true,
            "methods": ["U2F:1"],
            "image_name": "U2F_1.png",
            "grace_period": null,
            "name": "Test-chain",
            "id_hex": "42b312980c8911e69140080027983191",
            "apply_for_ep_owner": false,
            "is_trusted": null
        }
    ],
    "user_name": "LOCAL\USER1",
    "completed_methods": ["U2F:1"],
    "status": "OK",
    "login_session_id": "Cga6cvaMTaMTaDp5TLZHPOet29O808VL"
}

Do SMARTPHONE:1 enroll: ¶

Do SMARTPHONE:1 enroll:
POST`/api/v1/enroll/{enroll_process_id}/do_enroll`

SMARTPHONE:1 enroll steps:

Send empty request do_enroll to get QA code and check status. User should scan this QR code by application
To check status of enroll application should send empty request to do_enroll until status will not changed for failed or successful.

Error reasons:

SMARTPHONE_ENROLL_TIMEOUT
SMARTPHONE_WAITING_DATA
SMARTPHONE_SCAN_QR
SMARTPHONE_WRONG_V4_TEMPLATE

Example URI

POST /api/v1/enroll/JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVX/do_enroll

URI Parameters

HideShow

enroll_process_id: string (required) Example: JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVX
ID of the enroll process

Request Get QR to enroll

HideShow

Body

{
  "login_session_id": "KOYxcRUuuZxDsEhxiycof4XwcuI2lbwk"
}

Response 200

HideShow

Body

{
  "msg": "Scan this QR code with the smartphone application",
  "msgid": "AUCORE-3003",
  "qrdata": "OOBDATAJgBFHPokfqPOxbVzvKrj61GcZDkHeYd0AWYT9x3qQ0ihO9rRktvpqmnyPdlP5efN/FgLhl5D03bU9NJ6OwnxfODK9p5VHXpKqRYfKJhS/hSL7E4weFC4iGP1M1a9DTKfiRN4/A6XprEbkAQceOZMGDdkzmsh7dUus+0owd3FwBnG7jkkfCAQ1rSeI5P1HFMuPsBCdOUFRbMv3Ju8kXLIQRNrHiotksOCtF2vh1ALN3S4fXoPfpC8Nu13uV3ZU7vU+RL5FuexRktRm3dnoDnT1WrTerDXGVRn3T6Ghlg9UkyxswtW1Ipu8N+7OWIT/4PlQ62mj1xGG2otpPE6qCpWPg==",
  "status": "MORE_DATA",
  "reason": "SMARTPHONE_SCAN_QR",
  "method_id": "SMARTPHONE:1"
}

Request Finish enroll after phone actions

HideShow

Body

{
  "login_session_id": "KOYxcRUuuZxDsEhxiycof4XwcuI2lbwk"
}

Response 200

HideShow

Body

{
  "msg": "",
  "reason": "",
  "status": "OK",
  "method_id": "SMARTPHONE:1"
}

Do SMARTPHONE:1 logon online: ¶

Do SMARTPHONE:1 logon online:
POST`/api/v1/logon/{logon_process_id}/do_logon`

SMARTPHONE:1 Online mode logon steps:

Send empty request to do_logon to send push notification to smartphone. User should receive push message and he can approve or reject it.
To check status of logon application should send empty request to do_logon until status will not changed for failed or successful.

Error reasons:

SMARTPHONE_SAME_TOTP
SMARTPHONE_WRONG_TOTP
SMARTPHONE_AUTH_CONFIRM_TIMEOUT
SMARTPHONE_AUTH_REJECTED
SMARTPHONE_LOGON_IN_PROGRESS
SMARTPHONE_WAITING_DATA
SMARTPHONE_NO_LOCATION
SMARTPHONE_INCORRECT_LOCATION
SMARTPHONE_TOTP_LOGON_DISABLED

Example URI

POST /api/v1/logon/6MwzQQ2AKGtTW0q0q2VEQ3tIs0Y6Py0n/do_logon

URI Parameters

HideShow

logon_process_id: 32 symbol id (required) Example: 6MwzQQ2AKGtTW0q0q2VEQ3tIs0Y6Py0n
ID of the logon process

Request 1. Send push message to smartphone

HideShow

Body

{
  "endpoint_session_id": "MDG133vYLaZIBuSvHFF5LfZtSApQHkaQ"
}

Response 200

HideShow

Body

{
  "reason": "SMARTPHONE_WAITING_DATA",
  "msgid": "AUCORE-2056",
  "msg": "Waiting for smartphone data...",
  "chains": [
    {
      "id_hex": null,
      "is_enabled": true,
      "short_name": "",
      "grace_period": null,
      "image_name": "ANY.png",
      "is_trusted": null,
      "name": "TEST CHAIN",
      "methods": [
        "ANY"
      ],
      "apply_for_ep_owner": false,
      "position": 1000,
      "required_chain_id_hex": null
    }
  ],
  "current_method": "SMARTPHONE:1",
  "status": "MORE_DATA",
  "logon_process_id": "6MwzQQ2AKGtTW0q0q2VEQ3tIs0Y6Py0n",
  "event_name": "",
  "completed_methods": [],
  "event_data_id": "",
  "plugins": [],
  "method_id": "SMARTPHONE:1"
}

Request 2a. Finish logon successfully

HideShow

Body

{
  "endpoint_session_id": "MDG133vYLaZIBuSvHFF5LfZtSApQHkaQ"
}

Response 200

HideShow

Body

{
    "user_name": "LOCAL\AG",
    "msgid": "AUCORE-2053",
    "status": "OK",
    "repo_id": "8c4749d20c7111e69e17080027983191",
    "chains": [
        {
            "id_hex": null,
            "is_enabled": true,
            "short_name": "",
            "grace_period": null,
            "image_name": "ANY.png",
            "is_trusted": null,
            "name": "TEST CHAIN",
            "methods": ["ANY"],
            "apply_for_ep_owner": false,
            "position": 1000,
            "required_chain_id_hex": null
        }
    ],
    "current_method": "SMARTPHONE:1",
    "repo_obj_id": "8c4d1b500c7111e69e17080027983191",
    "msg": "Auth accepted",
    "user_id": "187e62bd172488bea921e47ea2be0e7e",
    "login_session_id": "qeDTAoC66hrMIl28xfnfeGbUpNn8nJXR",
    "logon_process_id": "6MwzQQ2AKGtTW0q0q2VEQ3tIs0Y6Py0n",
    "event_name": "",
    "completed_methods": ["SMARTPHONE:1"],
    "event_data_id": "",
    "data_id": "",
    "plugins": [],
    "method_id": "SMARTPHONE:1"
}

Request 2b. Finish logon failed

HideShow

Body

{
  "endpoint_session_id": "MDG133vYLaZIBuSvHFF5LfZtSApQHkaQ"
}

Response 200

HideShow

Body

{
  "event_name": "",
  "current_method": "SMARTPHONE:1",
  "status": "FAILED",
  "reason": "SMARTPHONE_AUTH_REJECTED",
  "method_id": "SMARTPHONE:1",
  "completed_methods": [],
  "msg": "Auth rejected",
  "plugins": [],
  "msgid": "AUCORE-2054",
  "chains": [
    {
      "grace_period": null,
      "image_name": "ANY.png",
      "position": 1000,
      "apply_for_ep_owner": false,
      "id_hex": null,
      "short_name": "",
      "is_trusted": null,
      "methods": [
        "ANY"
      ],
      "is_enabled": true,
      "required_chain_id_hex": null,
      "name": "TEST CHAIN"
    }
  ],
  "logon_process_id": "3VXhH6liboHcD35uweditS3MGoLJxQVo",
  "event_data_id": ""
}

Do SMARTPHONE:1 logon offline: ¶

Do SMARTPHONE:1 logon offline:
POST`/api/v1/logon/{logon_process_id}/do_logon`

SMARTPHONE:1 Offline mode logon steps:

Send request with totp password from smartphone to do_logon and check status

Error reasons:

SMARTPHONE_SAME_TOTP
SMARTPHONE_WRONG_TOTP
SMARTPHONE_AUTH_CONFIRM_TIMEOUT
SMARTPHONE_AUTH_REJECTED
SMARTPHONE_LOGON_IN_PROGRESS
SMARTPHONE_WAITING_DATA
SMARTPHONE_NO_LOCATION
SMARTPHONE_INCORRECT_LOCATION
SMARTPHONE_TOTP_LOGON_DISABLED

Example URI

POST /api/v1/logon/X7F93FOgKJVoVBg7kgRgdTtc0UKAN2Tm/do_logon

URI Parameters

HideShow

logon_process_id: 32 symbol id (required) Example: X7F93FOgKJVoVBg7kgRgdTtc0UKAN2Tm
ID of the logon process

Request Enter TOTP-password from smartphone

HideShow

Body

{
  "endpoint_session_id": "oxBLoOk1WyIvAcuUv5xIENMgSoya1K0j",
  "response": {
    "totp": "053226"
  }
}

Response 200

HideShow

Body

{
    "user_name": "LOCAL\AG",
    "msgid": "AUCORE-2001",
    "status": "OK",
    "repo_id": "bf6508400c7111e69e17080027983191",
    "chains": [
        {
            "id_hex": null,
            "is_enabled": true,
            "short_name": "",
            "grace_period": null,
            "image_name": "ANY.png",
            "is_trusted": null,
            "name": "TEST CHAIN",
            "methods": ["ANY"],
            "apply_for_ep_owner": false,
            "position": 1000,
            "required_chain_id_hex": null
        }
    ],
    "current_method": "SMARTPHONE:1",
    "repo_obj_id": "bf6d48340c7111e69e17080027983191",
    "msg": "Welcome!",
    "user_id": "0524d36a32ced8ac9044fb62f79f60e5",
    "login_session_id": "sUne8w7x4E2VMifobJcxxoobdudkq9Sp",
    "logon_process_id": "X7F93FOgKJVoVBg7kgRgdTtc0UKAN2Tm",
    "event_name": "",
    "completed_methods": ["SMARTPHONE:1"],
    "event_data_id": "",
    "data_id": "",
    "plugins": []
}

Request Logon failed

HideShow

Body

{
  "endpoint_session_id": "oxBLoOk1WyIvAcuUv5xIENMgSoya1K0j",
  "response": {
    "totp": "053229"
  }
}

Response 200

HideShow

Body

{
  "msg": "Wrong TOTP password",
  "event_name": "",
  "msgid": "AUCORE-2028",
  "reason": "SMARTPHONE_WRONG_TOTP",
  "current_method": "SMARTPHONE:1",
  "chains": [
    {
      "grace_period": null,
      "image_name": "ANY.png",
      "position": 1000,
      "apply_for_ep_owner": false,
      "id_hex": null,
      "short_name": "",
      "is_trusted": null,
      "methods": [
        "ANY"
      ],
      "is_enabled": true,
      "required_chain_id_hex": null,
      "name": "TEST CHAIN"
    }
  ],
  "status": "FAILED",
  "plugins": [],
  "logon_process_id": "nJERAkt5172RyPdJWuenkyjZHVKG2NR0",
  "event_data_id": "",
  "completed_methods": []
}

Do VOICE:1 enroll: ¶

Do VOICE:1 enroll:
POST`/api/v1/enroll/{enroll_process_id}/do_enroll`

VOICE:1 enroll steps:

Send request with pin to do_enroll and check status

Example URI

POST /api/v1/enroll/JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVX/do_enroll

URI Parameters

HideShow

enroll_process_id: string (required) Example: JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVX
ID of the enroll process

Request Radius enroll

HideShow

Body

{
  "response": {
    "pin": "12345"
  },
  "login_session_id": "iKsplIEBS8lrfhMCr08uyZEtaWRff9s4"
}

Response 200

HideShow

Body

{
  "status": "OK",
  "reason": "",
  "msg": "",
  "method_id": "VOICE:1"
}

Do VOICE:1 logon: ¶

Do VOICE:1 logon:
POST`/api/v1/logon/{logon_process_id}/do_logon`

VOICE:1 logon steps:

Send empty request to do_logon to make a call to user. User should receive call and enter pin from it.
To check status of logon application should send empty request to do_logon until status will not changed for failed or successful.

Error reasons:

VOICE_PIN_NOT_VERIFIED
VOICE_CALL_IN_PROGRESS
VOICE_PIN_EXPIRED
VOICE_CANNOT_CALL
VOICE_CALL_INITIATED

Example URI

POST /api/v1/logon/F1iJ4albUW81CqFzdZXekgdyPyB43YbY/do_logon

URI Parameters

HideShow

logon_process_id: 32 symbol id (required) Example: F1iJ4albUW81CqFzdZXekgdyPyB43YbY
ID of the logon process

Request 1. Call to user

HideShow

Body

{
  "endpoint_session_id": "vqRVxFg79DEHCAJjoe0nJNBSMoibCZa9"
}

Response 200

HideShow

Body

{
  "status": "MORE_DATA",
  "plugins": [],
  "msg": "Call initiated",
  "current_method": "VOICE:1",
  "completed_methods": [],
  "chains": [
    {
      "is_enabled": true,
      "apply_for_ep_owner": false,
      "is_trusted": null,
      "name": "TEST CHAIN",
      "position": 1000,
      "id_hex": null,
      "required_chain_id_hex": null,
      "image_name": "ANY.png",
      "grace_period": null,
      "short_name": "",
      "methods": [
        "ANY"
      ]
    }
  ],
  "reason": "VOICE_CALL_INITIATED",
  "msgid": "AUCORE-2077",
  "event_data_id": "",
  "event_name": "",
  "logon_process_id": "F1iJ4albUW81CqFzdZXekgdyPyB43YbY"
}

Request 2. Check call status

HideShow

Body

{
  "endpoint_session_id": "vqRVxFg79DEHCAJjoe0nJNBSMoibCZa9"
}

Response 200

HideShow

Body

{
  "status": "MORE_DATA",
  "plugins": [],
  "msg": "Call in progress",
  "current_method": "VOICE:1",
  "completed_methods": [],
  "chains": [
    {
      "is_enabled": true,
      "apply_for_ep_owner": false,
      "is_trusted": null,
      "name": "TEST CHAIN",
      "position": 1000,
      "id_hex": null,
      "required_chain_id_hex": null,
      "image_name": "ANY.png",
      "grace_period": null,
      "short_name": "",
      "methods": [
        "ANY"
      ]
    }
  ],
  "reason": "VOICE_CALL_IN_PROGRESS",
  "msgid": "AUCORE-2073",
  "event_data_id": "",
  "event_name": "",
  "logon_process_id": "F1iJ4albUW81CqFzdZXekgdyPyB43YbY"
}

Request 3. Finish logon

HideShow

Body

{
  "endpoint_session_id": "vqRVxFg79DEHCAJjoe0nJNBSMoibCZa9"
}

Response 200

HideShow

Body

{
    "user_name": "LOCAL\AG",
    "msgid": "AUCORE-2001",
    "status": "OK",
    "repo_id": "bf6508400c7111e69e17080027983191",
    "chains": [
        {
            "id_hex": null,
            "is_enabled": true,
            "short_name": "",
            "grace_period": null,
            "image_name": "ANY.png",
            "is_trusted": null,
            "name": "TEST CHAIN",
            "methods": ["ANY"],
            "apply_for_ep_owner": false,
            "position": 1000,
            "required_chain_id_hex": null
        }
    ],
    "current_method": "VOICE:1",
    "repo_obj_id": "bf6d48340c7111e69e17080027983191",
    "msg": "Welcome!",
    "user_id": "0524d36a32ced8ac9044fb62f79f60e5",
    "login_session_id": "sUne8w7x4E2VMifobJcxxoobdudkq9Sp",
    "logon_process_id": "F1iJ4albUW81CqFzdZXekgdyPyB43YbY",
    "event_name": "",
    "completed_methods": ["VOICE:1"],
    "event_data_id": "",
    "data_id": "",
    "plugins": []
}

Do CARD:1 enroll: ¶

Do CARD:1 enroll:
POST`/api/v1/enroll/{enroll_process_id}/do_enroll`

Store card UID and validate card certificate (for PKI-cards)

Now only support contactless cards (UID).

CARD:1 enroll steps:

Send request with card certificate and card uid to do_enroll and check status

Example URI

POST /api/v1/enroll/JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVX/do_enroll

URI Parameters

HideShow

enroll_process_id: string (required) Example: JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVX
ID of the enroll process

Request Smartcard enroll

HideShow

Body

{
  "response": {
    "card_cert": "308205243082040ca00302010202100e62f26..................a5883aa073b4588",
    "card_uid": "0e62f260aa610be177ba6c5d052ef002"
  },
  "login_session_id": "KOYxcRUuuZxDsEhxiycof4XwcuI2lbwk"
}

Response 200

HideShow

Body

{
  "method_id": "CARD:1",
  "status": "OK",
  "reason": "",
  "msg": "Enrollment complete",
  "msgid": "AUCORE-3001"
}

Do CARD:1 logon: ¶

Do CARD:1 logon:
POST`/api/v1/logon/{logon_process_id}/do_logon`

CARD:1 logon steps:

Send Smartcard UID and card certificate (for PKI-cards) to do_logon and check status

Now only support contactless cards (UID) and certificate-based (PKI) cards. This method supports 1-N logon, you can define card UID in ‘unit_id’ parameter instead of user_name. Yes, you send card_uid twice. Second one is needed for not 1-N logon scenarios, card AP is not first method of the chain. Non 1-N logon is also supported.

Example URI

POST /api/v1/logon/R94moMSOwAekT28PMCbSnuK8UJq0AxlP/do_logon

URI Parameters

HideShow

logon_process_id: 32 symbol id (required) Example: R94moMSOwAekT28PMCbSnuK8UJq0AxlP
ID of the logon process

Request Send Smartcard UID and card certificate

HideShow

Body

{
  "endpoint_session_id": "MDG133vYLaZIBuSvHFF5LfZtSApQHkaQ",
  "response": {
    "card_uid": "0e62f260aa610be177ba6c5d052ef002",
    "card_cert": "308205243082040ca003...64a5883aa073b4588"
  }
}

Response 200

HideShow

Body

{
    "plugins": [],
    "msg": "Welcome!",
    "status": "OK",
    "logon_process_id": "R94moMSOwAekT28PMCbSnuK8UJq0AxlP",
    "event_name": "TEST",
    "chains": [
        {
            "short_name": "",
            "apply_for_ep_owner": false,
            "image_name": "CARD_1.png",
            "grace_period": null,
            "methods": ["CARD:1"],
            "position": 0,
            "id_hex": "54e35a080c8a11e6b5cd080027983191",
            "is_trusted": null,
            "name": "Test-chain",
            "required_chain_id_hex": null,
            "is_enabled": true
        }
    ],
    "event_data_id": "",
    "repo_id": "54d11b360c8a11e6b5cd080027983191",
    "user_id": "ba94bcf442f0c148fc6a049c9470d1dd",
    "completed_methods": ["CARD:1"],
    "repo_obj_id": "54d6890e0c8a11e6b5cd080027983191",
    "login_session_id": "htNJc4zJq0DvtMR3jxqQXRzDKqdSB7vu",
    "data_id": "",
    "current_method": "CARD:1",
    "msgid": "AUCORE-2001",
    "user_name": "LOCAL\USER1"
}

Do PKI:1 enroll: ¶

Do PKI:1 enroll:
POST`/api/v1/enroll/{enroll_process_id}/do_enroll`

PKI:1 enroll steps:

Send request with a public key in modulus+exponent format or a certificate in DER format to do_enroll and check status

Error reasons:

PKI_CERT_VALIDATION_FAILED

Example URI

POST /api/v1/enroll/JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVX/do_enroll

URI Parameters

HideShow

enroll_process_id: string (required) Example: JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVX
ID of the enroll process

Request Store either a public key in modulus+exponent format or a certificate in DER format

HideShow

Body

{
  "response": {
    "card_uid": "1",
    "modulus": "bd77dc79a02acda19a9ec6099cd4a........0da58c9ef04a1e2655aac84f23",
    "certificate": null,
    "exponent": "10001"
  },
  "login_session_id": "IxJq1C5Gt6VxGeF65YjKl5R99Q70Lf9H"
}

Response 200

HideShow

Body

{
  "msgid": "AUCORE-3001",
  "reason": "",
  "msg": "Enrollment complete",
  "status": "OK",
  "method_id": "PKI:1"
}

Do PKI:1 logon: ¶

Do PKI:1 logon:
POST`/api/v1/logon/{logon_process_id}/do_logon`

PKI:1 logon steps:

Ask server for a challenge by sending empty request to do_logon
Sign the given challenge on card or token and send it to do_logon and check status

Error reasons:

PKI_WAITING_AUTH_SIGN
PKI_SIGN_VERIFICATION_FAILED
PKI_CERT_VALIDATION_FAILED
PKI_WRONG_CARD

Example URI

POST /api/v1/logon/kytfmodEy4QmcMKgEb9cuGpLpNv9ooYp/do_logon

URI Parameters

HideShow

logon_process_id: 32 symbol id (required) Example: kytfmodEy4QmcMKgEb9cuGpLpNv9ooYp
ID of the logon process

Request 1. Ask server for a challenge

HideShow

Body

{
  "endpoint_session_id": "P7p3JJuenqo0SnyJ4HnbRbbJIqDhtt0u",
  "response": {}
}

Response 200

HideShow

Body

{ "chains": [ { "image_name": "default",
                "is_enabled": True,
                "is_trusted": None,
                "methods": ["PKI:1"],
                "name": "Test-chain",
                "position": 0,
                "short_name": ""}],
  "completed_methods": [],
  "current_method": "PKI:1",
  "event_data_id": "",
  "event_name": "TEST",
  "logon_process_id": "kytfmodEy4QmcMKgEb9cuGpLpNv9ooYp",
  "msg": "Waiting for an authentication signature",
  "plugins": [],
  "challenge": "f81e9d6882aca80cbe97e291ee5771aba7cc13facb3c79a5ae924e788bc4f7d2",
  "reason": "PKI_WAITING_AUTH_SIGN",
  "status": "MORE_DATA"
}

Request 2. Sign the given challenge on card or token

HideShow

Body

{
  "endpoint_session_id": "P7p3JJuenqo0SnyJ4HnbRbbJIqDhtt0u",
  "response": {
    "signature": "58ad84f3a9b7244031aa55c0d....42d123bdb715a153974e992b16d022",
    "padding": "PKCS#1",
    "hash": "SHA1"
  }
}

Response 200

HideShow

Body

{ "repo_obj_id": "6104a6ce424b11e5b7ebdc85de0b0889",
  "repo_id": "6104a6c5424b11e5b7ebdc85de0b0889",
  "logon_process_id": "kytfmodEy4QmcMKgEb9cuGpLpNv9ooYp",
  "status": "OK",
  "plugins": [],
  "msg": "Welcome!",
  "current_method": "PKI:1",
  "completed_methods": ["PKI:1"],
  "chains": [{ "methods": ["ANY"],
               "image_name": "default",
               "short_name": "",
               "position": 1000,
               "is_enabled": true,
               "is_trusted": null,
               "name": "TEST CHAIN"}],
  "event_data_id": "",
  "user_id": "6104a6cf424b11e5b7ebdc85de0b0889",
  "user_name": "LOCAL\ADMIN",
  "login_session_id": "DirIO8s41TbT1lm7Dh5BNfK6gRTHhXTl",
  "data_id": "",
  "event_name": "TEST"
}

Do FINGER:1 enroll: ¶

Do FINGER:1 enroll:
POST`/api/v1/enroll/{enroll_process_id}/do_enroll`

FINGER:1 enroll steps:

Send request to do_enroll with finger images

Fields description: Finger: 1 , where 1 is finger id from ids bellow

Finger ids:

ANY_FINGER = 0
RIGHT_THUMB = 1
LEFT_THUMB = 2
RIGHT_INDEX = 3
LEFT_INDEX = 4
RIGHT_MIDDLE = 5
LEFT_MIDDLE = 6
RIGHT_RING = 7
LEFT_RING = 8
RIGHT_LITTLE = 9
LEFT_LITTLE = 10

Image content format:

BitsPerPixel, integer, bits per pixel, support only 8 bits now
BytesPerLine, integer, count of bytes per one row
Width , integer, length of row in pixels
Height, integer, pixel row’s count
Dpi, integer, is not used now
Image, string, base64 encoded string with bytes
captureStatus, string, result of capturing

Template content format:

ISO: string, base64 encoded string with iso content
captureStatus, string, result of capturing

Error reasons:

INCORRECT_FINGERS_COUNT
INCORRECT_CAPTURES_COUNT_PER_FINGER

Example URI

POST /api/v1/enroll/JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVX/do_enroll

URI Parameters

HideShow

enroll_process_id: string (required) Example: JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVX
ID of the enroll process

Request Multiple finger enroll with images

HideShow

Body

{
  "response": {
    "captures": [
      {
        "Finger": 1,
        "Image": {
          "BitsPerPixel": 8,
          "BytesPerLine": 300,
          "Dpi": 500,
          "Height": 300,
          "Width": 300,
          "captureStatus": "Ok",
          "Image": "<image content>"
        }
      },
      {
        "Finger": 1,
        "Image": {
          "BitsPerPixel": 8,
          "BytesPerLine": 300,
          "Dpi": 500,
          "Height": 300,
          "Width": 300,
          "captureStatus": "Ok",
          "Image": "<image content>"
        }
      }
    ]
  },
  "login_session_id": "IxJq1C5Gt6VxGeF65YjKl5R99Q70Lf9H"
}

Response 200

HideShow

Body

{
  "msgid": "AUCORE-3001",
  "reason": "",
  "msg": "Enrollment complete",
  "status": "OK",
  "method_id": "FINGER:1"
}

Request Multiple finger enroll with iso templates

HideShow

Body

{
  "response": {
    "iso": true,
    "captures": [
      {
        "Finger": 1,
        "Image": {
          "ISO": "<iso finger capture template>",
          "captureStatus": "OK"
        }
      },
      {
        "Finger": 1,
        "Image": {
          "ISO": "<iso finger capture template>",
          "captureStatus": "OK"
        }
      }
    ]
  },
  "login_session_id": "IxJq1C5Gt6VxGeF65YjKl5R99Q70Lf9H"
}

Response 200

HideShow

Body

{
  "msgid": "AUCORE-3001",
  "reason": "",
  "msg": "Enrollment complete",
  "status": "OK",
  "method_id": "FINGER:1"
}

Do FINGER:1 logon: ¶

Do FINGER:1 logon:
POST`/api/v1/logon/{logon_process_id}/do_logon`

FINGER:1 logon steps:

Send to server finger capture or finger capture’s iso template

Image content format:

BitsPerPixel, integer, bits per pixel, support only 8 bits now
BytesPerLine, integer, count of bytes per one row
Width , integer, length of row in pixels
Height, integer, pixel row’s count
Dpi, integer, is not used now
Image, string, base64 encoded string with bytes
captureStatus, string, result of capturing

Template content format:

ISO: string, base64 encoded string with iso content
captureStatus, string, result of capturing

Example URI

POST /api/v1/logon/kytfmodEy4QmcMKgEb9cuGpLpNv9ooYp/do_logon

URI Parameters

HideShow

logon_process_id: 32 symbol id (required) Example: kytfmodEy4QmcMKgEb9cuGpLpNv9ooYp
ID of the logon process

Request Send finger capture

HideShow

Body

{
  "endpoint_session_id": "P7p3JJuenqo0SnyJ4HnbRbbJIqDhtt0u",
  "response": {
    "capture": {
      "BitsPerPixel": 8,
      "BytesPerLine": 300,
      "Dpi": 500,
      "Height": 300,
      "Width": 300,
      "captureStatus": "Ok",
      "Image": "<image content>"
    }
  }
}

Response 200

HideShow

Body

{
    "event_data_id": "",
    "msgid": "AUCORE-2001",
    "logon_process_id": "kytfmodEy4QmcMKgEb9cuGpLpNv9ooYp",
    "login_session_id": "iCFCUvGVK9zlDQtWa018UWKUwuNHEYcn",
    "current_method": "FINGER:1",
    "chains": [
        {
          "position": 1000,
          "short_name": "",
          "grace_period": null,
          "methods": [
            "FINGER:1"
          ],
          "is_enabled": true,
          "name": "TEST CHAIN",
          "id_hex": null,
          "required_chain_id_hex": null,
          "is_trusted": null,
          "apply_for_ep_owner": false,
          "image_name": "FINGER_1.png"
        }
    ],
    "repo_obj_id": "c0fd1ab20b0e11e6b224080027983191",
    "plugins": [],
    "msg": "Welcome!",
    "status": "OK",
    "user_id": "84a0a279d391de4b2fd70ea38b46d3ce",
    "data_id": "",
    "event_name": "",
    "repo_id": "c0eeb0ee0b0e11e6b224080027983191",
    "completed_methods": [
        "FINGER:1"
    ],
    "user_name": "LOCAL\ADMIN"
}

Request Send finger capture's iso template

HideShow

Headers

Content-Type: application/json

Body

{
  "endpoint_session_id": "P7p3JJuenqo0SnyJ4HnbRbbJIqDhtt0u",
  "response": {
    "capture": {
      "ISO": "<finger capture's iso template>",
      "captureStatus": "OK"
    }
  }
}

Response 200

HideShow

Body

{
    "event_data_id": "",
    "msgid": "AUCORE-2001",
    "logon_process_id": "kytfmodEy4QmcMKgEb9cuGpLpNv9ooYp",
    "login_session_id": "iCFCUvGVK9zlDQtWa018UWKUwuNHEYcn",
    "current_method": "FINGER:1",
    "chains": [
        {
          "position": 1000,
          "short_name": "",
          "grace_period": null,
          "methods": [
            "FINGER:1"
          ],
          "is_enabled": true,
          "name": "TEST CHAIN",
          "id_hex": null,
          "required_chain_id_hex": null,
          "is_trusted": null,
          "apply_for_ep_owner": false,
          "image_name": "FINGER_1.png"
        }
    ],
    "repo_obj_id": "c0fd1ab20b0e11e6b224080027983191",
    "plugins": [],
    "msg": "Welcome!",
    "status": "OK",
    "user_id": "84a0a279d391de4b2fd70ea38b46d3ce",
    "data_id": "",
    "event_name": "",
    "repo_id": "c0eeb0ee0b0e11e6b224080027983191",
    "completed_methods": [
        "FINGER:1"
    ],
    "user_name": "LOCAL\ADMIN"
}

Terms ¶

Howto ¶

Secrets ¶

Error reporting ¶

Special HTTP errors ¶

Localization ¶

Supported locale formats ¶

Message ID ¶

Endpoints ¶

Register new endpoint ¶

Register new endpointPOST/api/v1/endpoints/{32}}

Example URI

Body

Body

Body

Body

Read endpoint information ¶

Read endpoint informationGET/api/v1/endpoints/{32}}

Example URI

Body

Body

Destroy endpoint ¶

Destroy endpointDELETE/api/v1/endpoints/{32}}

Example URI

Body

Body

Update endpoint information ¶

Update endpoint informationPATCH/api/v1/endpoints/{32}}

Example URI

Body

Body

Endpoint sessions ¶

Create the session from endpoint and returns it's ID ¶

Create the session from endpoint and returns it's IDPOST/api/v1/endpoints/{32}}/sessions/{32}}

Example URI

Body

Body

Body

Body

Read information about endpoint session: ¶

Read information about endpoint session:GET/api/v1/endpoints/{endpoint_id}/sessions/{endpoint_session_id}?salt={salt}&endpoint_secret_hash={endpoint_secret_hash}

Example URI

Body

Destroys the endpoint session: ¶

Destroys the endpoint session:DELETE/api/v1/endpoints/{endpoint_id}/sessions/{endpoint_session_id}?salt={salt}&endpoint_secret_hash={endpoint_secret_hash}

Example URI

Body

Logon ¶

Simple logon ¶

Chained logon ¶

Create logon process: ¶

Create logon process:POST/api/v1/logon

Example URI

Body

Body

Body

Body

Common Do logon: ¶

Common Do logon:POST/api/v1/logon/{logon_process_id}/do_logon

Example URI

Body

Body

Body

Body

Continue logon for multiple step logon ¶

Continue logon for multiple step logonPOST/api/v1/logon/{logon_process_id}/next

Example URI

Body

Body

Read available chains: ¶

Read available chains:GET/api/v1/logon/chains?user_name={user_name}&is_trusted={is_trusted}&event={event}&endpoint_session_id={endpoint_session_id}

Example URI

Body

Destroy logon process: ¶

Destroy logon process:DELETE/api/v1/logon/{logon_process_id}?endpoint_session_id={endpoint_session_id}

Example URI

Login sessions ¶

Read information about login session: ¶

Read information about login session:GET/api/v1/logon/sessions/{login_session_id}?endpoint_session_id={endpoint_session_id}

Example URI

Terms

Howto

Secrets

Error reporting

Special HTTP errors

Localization

Supported locale formats

Message ID

Register new endpoint
POST`/api/v1/endpoints/{32}}`

Read endpoint information
GET`/api/v1/endpoints/{32}}`

Destroy endpoint
DELETE`/api/v1/endpoints/{32}}`

Update endpoint information
PATCH`/api/v1/endpoints/{32}}`

Create the session from endpoint and returns it's ID
POST`/api/v1/endpoints/{32}}/sessions/{32}}`

Read information about endpoint session:
GET`/api/v1/endpoints/{endpoint_id}/sessions/{endpoint_session_id}?salt={salt}&endpoint_secret_hash={endpoint_secret_hash}`

Destroys the endpoint session:
DELETE`/api/v1/endpoints/{endpoint_id}/sessions/{endpoint_session_id}?salt={salt}&endpoint_secret_hash={endpoint_secret_hash}`

Simple logon

Chained logon

Create logon process:
POST`/api/v1/logon`

Common Do logon:
POST`/api/v1/logon/{logon_process_id}/do_logon`

Continue logon for multiple step logon
POST`/api/v1/logon/{logon_process_id}/next`

Read available chains:
GET`/api/v1/logon/chains?user_name={user_name}&is_trusted={is_trusted}&event={event}&endpoint_session_id={endpoint_session_id}`

Destroy logon process:
DELETE`/api/v1/logon/{logon_process_id}?endpoint_session_id={endpoint_session_id}`

Read information about login session:
GET`/api/v1/logon/sessions/{login_session_id}?endpoint_session_id={endpoint_session_id}`

Delete login session:
DELETE`/api/v1/logon/sessions/{login_session_id}?endpoint_session_id={endpoint_session_id}`

Start enroll process:
POST`/api/v1/enroll`

Common Do enroll:
POST`/api/v1/enroll/{enroll_process_id}/do_enroll`

Destroy pending/waiting process:
DELETE`/api/v1/enroll/{enroll_process_id}?login_session_id={login_session_id}`

Read effective policies of user :
GET`/api/v1/users/{user_id}/effective_policy?login_session_id={login_session_id}`

Read info about specific component of effective user policy
GET`/api/v1/users/{user_id}/effective_policy/{component}?login_session_id={login_session_id}`

Read effective policies of endpoint :
GET`/api/v1/endpoints/{endpoint_id}/effective_policy?endpoint_session_id={endpoint_session_id}`

Read info about specific component of endpoint effective policy
GET`/api/v1/endpoints/{endpoint_id}/effective_policy/{component}?endpoint_session_id={endpoint_session_id}`

Read all records of OSLogon data:
GET`/api/v1/users/{user_id}/data/OSLogon?login_session_id={login_session_id}`

Delete all records of OSLogon data:
DELETE`/api/v1/users/{user_id}/data/OSLogon?login_session_id={login_session_id}`

Delete password record only::
DELETE`/api/v1/users/{user_id}/data/OSLogon/password?login_session_id={login_session_id}`

Modify data:
PATCH`/api/v1/users/{user_id}/data/OSLogon`

List of user's linked templates:
GET`/api/v1/users/{user_id}/templates?login_session_id={login_session_id}`

Create template, fill it from enroll session and link to user:
POST`/api/v1/users/{user_id}/templates`