Advanced Authentication API doc
Terms
Endpoint
The appliance provide user’s authentication in different places, ex. Microsoft Windows, Apple MacOS X or other custom applications and systems. The final destination of user’s authentication is endpoint. The endpoint could be a physical workstation or an application.
Endpoint session
Endpoint should create endpoint session on the server to start working. The endpoint session has a lifetime, after this, the endpoint session will be deleted and the session will need to be renewed. All users can work with one endpoint session on one endpoint.
Event
The endpoints are combined in the events, the event is a logical separation for the endpoints. The Windows logon and Mac OS logon are different events, each event could had some set of the endpoints, and endpoints are Mac or Windows workstations.
Authentication Method
These are the specific authentication methods that are supported by the framework. Examples are SMS, OTP, or Smartphone authentication methods. In order to use a method, it needs to be connected to a chain. A method without a chain cannot be used to authenticate.
Name | Key | Description |
---|---|---|
LDAP password | LDAP_PASSWORD:1 | Authentication by LDAP password, system uses different LDAP users repository |
One-time password based on hash algorithm | HOTP:1 | Authentication by OTP with hash algorithm |
One-time password based on time algorithm | TOTP:1 | Authentication by OTP with time based algorithm |
One-time password sending by e-mail | EMAIL_OTP:1 | Authentication by OTP sending by e-mail |
One time password sending by SMS | SMS_OTP:1 | Authentication by OTP sending by SMS |
RADIUS password | RADIUS:1 | Authentication by RADIUS server |
Security question | SECQUEST:1 | Authentication by security question |
Smartphone authentication | SMARTPHONE:1 | Authentication by smartphone application |
Virtual password | PASSWORD:1 | Authentication by password assign to user |
Voice call | VOICE:1 | Authentication by voice call |
Cards | CARD:1 | Authentication by cards |
FIDO U2F | U2F:1 | Authentication by FIDO U2F tokens |
Emergency password | EMERG_PASSWORD:1 | Authentication by emergency password |
PKI | PKI:1 | Authentication by PKI |
Bluetooth | BLUETOOTH:1 | Authentication by Bluetooth devices |
OAuth 2.0 | OAUTH2:1 | Authentication by OAuth 2.0 |
Chain
The authentication framework works with chains. These consist of one or more authentication methods and are used to connect to events. For example, LDAP password and an OTP. With this chain, you must first enter your password. Then you will enter a One-Time-Password retrieved from a token.
User templates
The user’s templates contain authentication information associated with users. Each template is linked to a user and to an authentication method. When users try to logon using a specific authentication method, the server finds the associated user template and provide authentication. Users cannot use authentication methods without associated user templates.
Enroll
The enrollment process collects information for creating of user templates. User templates can be created by several steps with the enroll process. The enroll process is wizard to user templates. Each user can create user templates into enroll process, administrator can assign enroll process results to another users. To start enroll user should logon first.
Logon
The server provides strong user authentication by using the chain-login concept. Each chain is a challenge-response login. To get a successful authentication, the entire chain should be completed. A chain can consist of one or several authentication method(s).
Login session
After a user logon, the system creates a login session, to access protected information from the server use this session. For example, reading event data requires a login session identifier.
Howto
To begin work with Aucore Rest Api you should have:
- Created endpoint (endpoint id and secret). If you don’t have it, you should create it here
To login to Aucore:
-
Create endpoint session. Create endpoint session
-
Get all chains available for user and concrete event and select chain to useGet user chains
-
Start logon process with selected method and event. Start logon process
-
Complete all method in chain:
- Call doLogon for specific method
- If doLogon returns OK: you have successfully logged into Aucore
- If doLogon returns MORE_DATA: Aucore is waiting for additional data. Use specific method description
- If doLogon returns FAILED. Your attempt is not successful. Start new logon process to try again
- If doLogon returns NEXT. Your attempt is successful. But you should call NEXT method to start with next method. After NEXT call, use doLogon again.
-
Use login_session_id for further work
To enroll:
-
Login to Aucore and take login_session_id
-
Start enroll process Start enroll process
-
Make series of doEnroll action until status doens’t equal to ‘OK’ Make one step of enroll sequence
-
Link you enroll process with user. Create template, fill it from enroll session and link to user
Secrets
-
login_session_id
-
endpoint_session_id
-
endpoint secret stored on endpoint device, passed as endpoint_secret_hash
If you know xxx_session_id you can remove session (logout user) or read /data - acts on behalf of user/endpoint.
Error reporting
Normally server respond with HTTP status 200 and JSON body (as described in corresponding service). In case of error, HTTP status may be 40x, 50x. Response body will be JSON structured as follows.
You need ‘description’ of first error
{ “errors”: [ { “description”: “Cannot connect to LDAP server(s)”, “location”: “server”, “msgid”: “AUCORE-0047” }], “reason”: “LDAP_NO_CONNECT” }
Do not use msgid for result status checking, use status and reason instead.
See Common Do logon for common status codes. Logon methods have individual statuses.
Special HTTP errors
HTTP 433 - endpoint session not found or expired. It is possible to get this error in the middle of logon process. You may start new endpoint session, resend do_logon request and continue.
HTTP 434 - logon session not found or expired. Re-logon.
HTTP 400 - wrong data (missed fields etc.) or method protocol violation e.g. voice method already did phone call and wait for PIN code, but you ask it to call user again. Fix your data and retry.
HTTP 500 - serious error, usually not possible to retry. Start your operation from the beginning (open new logon process, etc.)
Read HTTP error description, it may help debug.
Localization
It’s possible to choose a locale for server messages and warnings. Server detects a locale for request by the next properties ordered by priority:
-
HTTP parameter LOCALE for GET or DELETE requests.
-
JSON attribute LOCALE for POST, PUT and PATCH methods::
-
LOCALE cookie
-
Accept-Language HTTP header
-
Request (application/json)
{ "login_session_id": "789", "method_id": "HOTP:1", "_LOCALE_": "ru-RU" }
Supported locale formats
-
Language with territory:
en_US, nl_NL
-
Language with territory:
ru-RU, fr-FR
-
Language only:
ru, nl, fr
Message ID
Server issues an additional Message ID which can be used for message customization:
{ “chains”: [], “completed_methods”: [], “current_method”: “PASSWORD:1”, “logon_process_id”: “Ww323YxvYv6IVj3J3EaLNlkVM2aoHfLa”, “msgid”: “AUCORE-1008”, “msg”: “Process started”, “status”: “MORE_DATA” }
NOTE: Do not use msgid for result status checking, use status with reason instead.
Endpoints ¶
Endpoint session management
Register new endpoint: ¶
Body
{
"name":"workstation1.domain.local", // pass hostname here
"software_type" "Windows Client", // PAM Module/AD filter/etc
"software_ver" "6.0.111",
"desc":"New NAM endpoint",
"tenant_name":"MARIA_GROUP",
"os": {
// recognized fields
"type": "Windows", // Linux, MacOS etc.
"display_name": "Windows 10 Version 1607", // Ubuntu 14.04.3 LTS
"platform": "x64", // x86 ARM8 etc
"version": "10.0.14393", // "14.04.03"
// Windows machine GUID/SID, Linux machine-id etc.
// please send GUID as "7c0da94b-ded2-4eb3-9c90-22a568f8d30a",
// not as "{7c0da94b-ded2-4eb3-9c90-22a568f8d30a}" to slightly improve indexing performance
"device_id": "<str, unique computer/device ID>",
// other fields possible - OS specific info
"build": "14393",
"tz": "+07:00",
"win10_version": "1607",
"RAM": "32768",
"domain": "WORKGROUP",
"linux_distr": "Ubuntu",
"windows_family": "Desktop"
},
"extra": {
// any extra fields possible
}
}
Body
{
"secret": "cctdgkMc4pyKw0jAduP5CetGtaGKniPL",
"id": "76d1d94607da11e69bae080027983191"
}
Body
{
"name":"nam.new.trusted.endpoint",
"typ":3,
"desc":"New trusted NAM endpoint2",
"is_trusted":true,
"tenant_name": "MARIA_GROUP",
"auth_data": {
"method_id": "PASSWORD:1",
"user_name": "LOCAL\admin",
"password": "password"
}
}
Body
{
"secret": "cJd8UjfftveHW4JXrphTupMDACoF06xZ",
"id": "72fe734607db11e69bae080027983191"
}
Register new endpoint:POST/api/v1/endpoints
Grab secret and remember it inside endpoint (secure registry storage, root-only accessible file etc.) You will use the secret in ‘endpoint_sessions’ service. TODO: add link to endpoint sessions resource
Read endpoint information: ¶
Body
{
"name": "nam.new.trusted.endpoint3",
"typ": 3,
"desc": "New trusted NAM endpoint",
"is_enabled": true,
"id": "d5f5881e07df11e69bae080027983191",
"is_trusted": true
# os information is not returned for security reason - this call is world-accessible
}
Body
{
"errors": [
{
"location": "server",
"name": "AuError",
"msgid": "AUCORE-1022",
"description": "Endpoint not found"
}
],
"status": "error"
}
Read endpoint information:GET/api/v1/endpoints/{endpoint_id}
- endpoint_id
32 symbol id
(required) Example: f1be127607dc11e69bae080027983191ID of the endpoint
Destroy endpoint: ¶
Body
{
"auth_data": {
"method_id": "PASSWORD:1",
"user_name": "LOCAL\admin",
"password": "admin"
},
"secret": "M2QjVLgxVKOYrpVtYKafsGtKrBRx1aTU"
}
Body
null
Destroy endpoint:DELETE/api/v1/endpoints/{endpoint_id}
Untrusted endpoint can be destroyed by user who knows endpoint secret(auth_data check skipped). Otherwise user must be provide auth_data. Only FULL ADMINS or ENROLL ADMINS can destroy endpoints. This method requires JSON body, not all web clients/proxy servers support body for HTTP DELETE method
- endpoint_id
32 symbol id
(required) Example: f1be127607dc11e69bae080027983191ID of the endpoint
Update endpoint information: ¶
Body
{
"name":"sara.domain.local",
"auth_data": {
"method_id": "PASSWORD:1",
"user_name": "LOCAL\admin",
"password": "admin"
},
// optional
"os": {
// ... Entire dictionary will be changed
}
"software_type" "Windows Client",
"software_ver" "6.2",
}
Body
null
Update endpoint information:PATCH/api/v1/endpoints/{endpoint_id}
Field auth_data is required to update endpoint
If you omit a field, it will not be changed.
- endpoint_id
32 symbol id
(required) Example: f1be127607dc11e69bae080027983191ID of the endpoint
Search endpoints by name: ¶
Body
{
"tenant_name": "MARIA_GROUP",
"name": "nam.new.trusted.endpoint3",
"auth_data": {
"method_id": "PASSWORD:1",
"user_name": "LOCAL\admin",
"password": "admin"
}
}
Body
{
"endpoints": [
{
"name": "nam.new.trusted.endpoint3",
"typ": 3,
"desc": "New trusted NAM endpoint",
"is_enabled": true,
"id": "d5f5881e07df11e69bae080027983191",
"is_trusted": true
}
]
}
Search endpoints by name:POST/api/v1/endpoints/search
Field tenant_name is optional, TOP
tenant is used by default.
Field name is required, name of endpoint (case-insensitive)
Field auth_data is required to search endpoints.
Only FULL ADMINS or ENROLL ADMINS can search endpoints.
Endpoint sessions ¶
Endpoint session management. Does not require login/endpoint session. Instead, it requires endpoint secret.
Session lifetime (TTL): expire on inactivity 60 min, max lifetime 10080 min. It may change without notice. Please handle 434/433 HTTP codes to re-open session on-the fly and re-send request.
Create the session from endpoint and returns it's ID: ¶
Body
{
"salt": "i_am_salt",
"endpoint_secret_hash": "d8065693d119fd3d3b0ea54b31d0bf66cc6b56879de302c94cf0e464fef67124",
"session_data":
{
"any": { "data": ["you", "want to store", "in session"] }
}
// Optional - update os and client software information
"os":
{
"display_name": "Ubuntu 14.04.3 LTS",
"platform": "x64",
"version": "14.04.03"
// Entire dictionary will be changed
// Always pass full info or don't pass any
},
"software_type" "Windows Client", // optional
"software_ver" "6.2", // optional
"name": "new.endpoint.name" // rename endpoint (e.g if hostname has been changed)
}
Body
{
"endpoint_session_id": "0TbKHn9MsZKJYhfQ0FZ0W2y0RHVwxTOY"
}
Body
{
"salt": "i_am_salt",
"endpoint_secret_hash": "d8065693d119fd3d3b0ea54b31d0bf66cc6b56879de302c94cf0e464fef67127",
//incorrect secret hash
"session_data": {"any": { "data": ["you", "want to store", "in session"] } }
}
Body
{
"errors": [
{
"location": "server",
"name": "AuError",
"msgid": "AUCORE-1065",
"description": "Wrong credentials (endpoint secret)"
}
],
"status": "error"
}
Create the session from endpoint and returns it's ID:POST/api/v1/endpoints/{endpoint_id}/sessions
Client machine knows in advance endpoint_secret and id. It sends it to server, in hashed+salted form. Server validates and returns endpoint_session_id or HTTP error.
endpoint_secret_hash calculation in python::
def get_endpoint_secret_hash(endpoint, salt): # Calculates endpoint secret hash as SHA256(endpoint.secret, SHA256(endpoint.id_hex + salt)) # salt is random string of length >= 1
salted_endpoint_id = (endpoint.id_hex + salt).encode('utf-8')
endpoint_id_hash = sha256(salted_endpoint_id).hexdigest()
salted_enpoint_secret = (endpoint.secret + endpoint_id_hash).encode('utf-8')
return sha256(salted_enpoint_secret).hexdigest()
- endpoint_id
32 symbol id
(required) Example: f1be127607dc11e69bae080027983191ID of the endpoint
Read information about endpoint session: ¶
Body
{
"endpoint_id": "377ac5fe07e011e69bae080027983191",
"session_data": {
"any": {
"data": [
"you",
"want to store",
"in session"
]
}
},
"sid": "daTpDaWAd5BP0QzBNcIulLuFYCJ32Aak"
}
Read information about endpoint session:GET/api/v1/endpoints/{endpoint_id}/sessions/{endpoint_session_id}?salt={salt}&endpoint_secret_hash={endpoint_secret_hash}
- endpoint_id
32 symbol id
(required) Example: f1be127607dc11e69bae080027983191ID of the endpoint
- endpoint_session_id
32 symbol id
(required) Example: f1be127607dc11e69bae080027983191ID of the endpoint
- salt
string
(required) Example: i_am_saltClient generated salt. This salt is used in secret hash generated algorithm.
- endpoint_secret_hash
string
(required) Example: 7a68b11d3e409c09ba1545f5500273defb3c27127250029f00ac65097978fcf6Endpoint secret hash
Destroys the endpoint session: ¶
Body
null
Destroys the endpoint session:DELETE/api/v1/endpoints/{endpoint_id}/sessions/{endpoint_session_id}?salt={salt}&endpoint_secret_hash={endpoint_secret_hash}
- endpoint_id
32 symbol id
(required) Example: f1be127607dc11e69bae080027983191ID of the endpoint
- endpoint_session_id
32 symbol id
(required) Example: f1be127607dc11e69bae080027983191ID of the endpoint
- salt
string
(required) Example: i_am_saltClient generated salt. This salt is used in secret hash generated algorithm.
- endpoint_secret_hash
string
(required) Example: 7a68b11d3e409c09ba1545f5500273defb3c27127250029f00ac65097978fcf6Endpoint secret hash
Logon ¶
Implements logon process. Requires endpoint_session_id. Add it to all requests.
Login procedure:
-
Start login process, grab login_process_id
-
Series of do_logon calls. Client software sends ‘response’ to server; server replies with ‘challenge’
-
Received status=‘OK’ or ‘FAILED’ is the end of the process.
OK - logon is complete, login session has been created. FAILED - logon failed, logon process is destroyed
-
HTTP error 400 or 500 does not destroy the process, it is possible to continue it.
-
Special HTTP error 434 is returned in case when login session not found or expired
Simple logon
First, you create login process::
POST /api/v1/logon { ‘method_id’: ‘PASSWORD:1’, ‘user_name’: ‘REPONAME\USERNAME’, ‘is_1N’: True/False, # optional, default False ‘unit_id’: ‘xxx’, # for 1N login ‘event’: ‘xxx’ # can be empty string for testing (allow any method) }
For 1N login, you set is_1N to True and pass unit_id. For normal login, you pass user_name. Return::
{ ‘chains’: [], ‘completed_methods’: [], ‘current_method’: ‘PASSWORD:1’, ‘logon_process_id’: ‘Ww323YxvYv6IVj3J3EaLNlkVM2aoHfLa’, ‘msg’: ‘Process started’, ‘status’: ‘MORE_DATA’ }
Grab logon_process_id and perform series of do_logon calls while getting status ‘MORE_DATA’::
POST /api/v1/logon/Ww323YxvYv6IVj3J3EaLNlkVM2aoHfLa/do_logon { ‘response’: ‘method-specific dictionary, maybe omitted if method does not requires data on 1st do_login’ } Return { # method-specific data such as ‘challenge’: {‘rounds’: 100, ‘salt’: ‘cdf123Dx’}, ‘status’: ‘MORE_DATA’ }
POST /api/v1/logon/Ww323YxvYv6IVj3J3EaLNlkVM2aoHfLa/do_logon
{
'response': {'answer' : 'my-password' # method-specific dict in 'response' field
# this is 'response' to 'challenge' which server sent in previous do_logon
}
At some iteration, you get either status=OK or FAILED. ‘OK’ gives you also information about logged user::
{ ‘chains’: [], ‘completed_methods’: [‘PASSWORD:1’], ‘login_session_id’: ‘YTxTmMW6RPv051RmeCiyBn7txzE0JoM2’, ‘msg’: ‘Welcome!’, ‘repo_id’: ‘703f7c641beb11e48c69000c294fde0e’, ‘user_id’: ‘7044631e1beb11e48c69000c294fde0e’, ‘user_name’: ‘LOCAL\user1’, ‘event_name’: ‘Windows logon’, ‘event_data_id’: ‘OSLogon’ ‘status’: ‘OK’ }
# example of FAILED method
{ 'msg': 'Wrong password',
'status': 'FAILED'}
Grab login_session_id, you will pass it to other services. 1-N logon does not know user name before login starts, and now it knows.
Chained logon
Depending of event and endpoint_session_id (trusted/untrusted endpoint) you receive list of chains.
Chain defines:
-
list of methods user must login to, one-by-one.
-
After login, you can access data of the event by using ‘user_data’ service.
‘NEXT’ status says that current method is complete (OK) and user must start next method. What method to start is up to user (or client UI) - it depends on what chain user wants to complete.
Login is completed as soon as any chain is completed.
Chained logon example::
optional - read chains
# GET /api/v1/logon/chains?event=Windows%20logon&is_trusted=true
# decide what chain to complete and...
# 1. start 1st method
POST /api/v1/logon
{ 'method_id': 'SUPER_OTP:1', 'user_name': 'MARIA\director', 'event': 'Windows logon' }
Return
{ 'chains':
[
# same list of chains as you GET from /api/v1/logon/chains?event=Windows%20logon
],
'completed_methods': [],
'current_method': 'SUPER_OTP:1',
'logon_process_id': 'abc345',
'msg': 'Process started',
'status': 'MORE_DATA'
}
# Grab login_process_id (abc345) and...
# 2. call do_logon
POST /api/v1/logon/abc345/do_logon
{ 'response': 'some_secret' }
returns
{ 'status': 'MORE_DATA', 'current_method': 'SUPER_OTP:1', 'completed_methods': [] }
# 3. continue 1st method (it is 2-phase method)
POST /api/v1/logon/abc345/do_logon
{ response: 'second_secret' }
returns
{ status: 'NEXT', 'completed_methods': ['SUPER_OTP:1'] }
Status=NEXT means ‘SUPER_OTP’ is OK, completed_methods has method name. You start next method by POSTing to same process::
4. start next method
POST /api/v1/logon/abc345/next
{ 'method_id': 'LDAP_PASSWORD:1' } # user_name will be same as before
# you may pass unit_id and is_1N=true,
# it will work - but unit_id must be owned by same user
returns
{ status: 'MORE_DATA', 'current_method': 'LDAP_PASSWORD:1', 'completed_methods': ['SUPER_OTP:1']}
# 5. call do_logon, as usual
POST /api/v1/logon/abc345/do_logon
{ 'response': 'Password1' }
returns
{
'status': 'OK',
'completed_methods': ['SUPER_OTP:1', 'LDAP_PASSWORD:1'],
'login_session_id': 'YTxTmMW6RPv051RmeCiyBn7txzE0JoM2',
'msg': 'Welcome!',
'repo_id': '703f7c641beb11e48c69000c294fde0e',
'user_id': '7044631e1beb11e48c69000c294fde0e',
'user_name': 'MARIA\director',
'event_name': 'Windows logon',
'event_data_id': 'OSLogon'
}
# The chain is complete! Grab login_session_id!
OK, grab login_session_id and user info.
Chained logon - wrong password in the middle
Consider a chain has 3 methods, user completed 2 of them but provided wrong credentials for 3rd method. In that case:
-
Result is NEXT (not FAILED because it means end of the process)
-
completed_methods still contains 2 methods
-
Re-start method by POSTing as usual to /api/v1/logon/abc345/next
Create logon process: ¶
Body
{
"method_id": "PASSWORD:1",
"user_name": "LOCAL\USER1",
"event": "NAM",
"endpoint_session_id": "P7p3JJuenqo0SnyJ4HnbRbbJIqDhtt0u"
}
Body
{
"completed_methods": [],
"chains": [
{
"name": "Authenticators Management - Password",
"position": 1,
"id_hex": "3c927b4a061e11e6b224080027983191",
"apply_for_ep_owner": false,
"required_chain_id_hex": null,
"methods": [
"PASSWORD:1"
],
"short_name": "",
"image_name": "PASSWORD_1.png",
"is_trusted": null,
"is_enabled": true,
"grace_period": null
}
],
"plugins": [],
"event_name": "NAM",
"logon_process_id": "TTPeglOJxUZ3R8IV3e5vwUgUQACs8fBS",
"event_data_id": "OSLogon",
"status": "MORE_DATA",
"msgid": "AUCORE-1008",
"current_method": "PASSWORD:1",
"msg": "Process started",
"reason": "PROCESS_STARTED"
}
Body
{
"method_id": "PASSWORD:1",
"event": "NAM",
"is_1N":true,
"unit_id":"test",
"endpoint_session_id": "P7p3JJuenqo0SnyJ4HnbRbbJIqDhtt0u",
}
Body
{ 'chains': [],
'completed_methods': [],
'current_method': 'PASSWORD:1',
'logon_process_id': 'Ww323YxvYv6IVj3J3EaLNlkVM2aoHfLa',
'msg': 'Process started',
'status': 'MORE_DATA'
}
Create logon process:POST/api/v1/logon
First, you create login process For 1N login, you set is_1N to True and pass unit_id. For normal login, you pass user_name. Then use doLogon method to proceed.
Use next event names as event param:
-
Authenticators Management
-
EndpointsManagement
-
NAM
-
NCA
-
AdminUI
-
Radius Server
-
Helpdesk
-
Mac OS logon
-
Windows logon
-
ADFS
-
Linux logon
-
Report logon
-
Helpdesk user
-
Search Card
Common Do logon ¶
Body
{
"endpoint_session_id": "P7p3JJuenqo0SnyJ4HnbRbbJIqDhtt0u",
"response": {
"answer": "my-password"
}
}
Body
{
"user_id": "4f34e2882991440ddd0fd515e0d0236c",
"completed_methods": [
"PASSWORD:1"
],
"repo_id": "3c9c1fd8061e11e6b224080027983191",
"status": "OK",
"repo_obj_id": "3caa08a0061e11e6b224080027983191",
"event_data_id": "",
"logon_process_id": "jImh3267QFyZ9pXjSGPj5EIhpKKU8Xu9",
"user_name": "LOCAL\ADMIN",
"login_session_id": "TmPxkC98vF4FGhDvqedjXItbmGjVJYTD",
"plugins": [],
"event_name": "",
"chains": [
{
"name": "TEST CHAIN",
"position": 1000,
"id_hex": null,
"apply_for_ep_owner": false,
"required_chain_id_hex": null,
"methods": [
"ANY"
],
"short_name": "",
"image_name": "ANY.png",
"is_trusted": null,
"is_enabled": true,
"grace_period": null
}
],
"current_method": "PASSWORD:1",
"msgid": "AUCORE-2001",
"msg": "Welcome!",
"data_id": ""
}
Body
{
"endpoint_session_id": "P7p3JJuenqo0SnyJ4HnbRbbJIqDhtt0u",
"response": {
"answer": "my-incorrect-password"
}
}
Body
{
"completed_methods": [],
"chains": [
{
"name": "TEST CHAIN",
"position": 1000,
"id_hex": null,
"apply_for_ep_owner": false,
"required_chain_id_hex": null,
"methods": [
"ANY"
],
"short_name": "",
"image_name": "ANY.png",
"is_trusted": null,
"is_enabled": true,
"grace_period": null
}
],
"plugins": [],
"event_name": "",
"logon_process_id": "TaEXATdeJmyzhYlEKDwBKCUqzMW0YdtT",
"event_data_id": "",
"status": "FAILED",
"msgid": "AUCORE-2007",
"current_method": "PASSWORD:1",
"msg": "Wrong password",
"reason": "PASSWORD_WRONG"
}
Common Do logonPOST/api/v1/logon/{logon_process_id}/do_logon
Grab logon_process_id and perform series of do_logon calls while getting status ‘MORE_DATA’
doLogon response can contain status with OK, FAILED, MORE_DATA, NEXT
OK - you are successfully logged to event
FAILED - unsuccessful response for logon
NEXT - current method is done, service is waiting for next method. To start next method use next method bellow. Then call do_logon, as usual.
MORE_DATA - service is waiting for data
At some iteration, you get either status=OK or FAILED.
‘OK’ gives you also information about logged user. Grab login_session_id, you will pass it to other services.
Details about data and steps for specific methods read here
- logon_process_id
32 symbol id
(required) Example: TTPeglOJxUZ3R8IV3e5vwUgUQACs8fBSID of the logon process
Continue logon for multiple step logon ¶
Body
{
"endpoint_session_id": "P7p3JJuenqo0SnyJ4HnbRbbJIqDhtt0u",
"method_id": "HOTP:1"
}
Body
{
"event_name": "",
"completed_methods": [
"PASSWORD:1"
],
"msg": "Process started",
"chains": [
{
"required_chain_id_hex": null,
"short_name": "",
"position": 0,
"apply_for_ep_owner": false,
"id_hex": "e5c25e240a2411e68f20080027983191",
"methods": [
"PASSWORD:1",
"HOTP:1"
],
"is_enabled": true,
"is_trusted": null,
"grace_period": null,
"name": "test",
"image_name": "default"
}
],
"current_method": "HOTP:1",
"plugins": [],
"msgid": "AUCORE-1008",
"reason": "PROCESS_STARTED",
"status": "MORE_DATA",
"event_data_id": "",
"logon_process_id": "TTPeglOJxUZ3R8IV3e5vwUgUQACs8fBS"
}
Continue logon for multiple step logonPOST/api/v1/logon/{logon_process_id}/next
For example: after successful PASSWORD:1 logon
- logon_process_id
32 symbol id
(required) Example: TTPeglOJxUZ3R8IV3e5vwUgUQACs8fBSID of the logon process
Read available chains: ¶
Body
{
"chains": [
{
"name": "Admin Password",
"position": 0,
"id_hex": "3c8c306e061e11e6b224080027983191",
"apply_for_ep_owner": false,
"required_chain_id_hex": null,
"methods": [
"PASSWORD:1"
],
"short_name": "",
"image_name": "PASSWORD_1.png",
"is_trusted": null,
"is_enabled": true,
"grace_period": null,
'mfa_tags' : []
},
{
"name": "Authenticators Management - Password",
"position": 2,
"id_hex": "3c927b4a061e11e6b224080027983191",
"apply_for_ep_owner": false,
"required_chain_id_hex": null,
"methods": [
"PASSWORD:1"
],
"short_name": "",
"image_name": "PASSWORD_1.png",
"is_trusted": null,
"is_enabled": true,
"grace_period": null,
'mfa_tags' : []
}
],
"user_is_locked": false
}
Read available chains:GET/api/v1/logon/chains?user_name={user_name}&is_trusted={is_trusted}&event={event}&endpoint_session_id={endpoint_session_id}
is_trusted can be 1, 0, “True”, “False” or missed(False)
If you omit ‘is_trusted’ in your query, service does not filter and returns both trusted and untrusted chains.
If you omit ‘user_name’, service does not filter and returns all chains configured given event/is_trusted.
If you provide ‘user_name’ of user that isn’t yet registered in aucore (such as new LDAP user), service returns only chains made of methods not requiring enroll.
“user_is_locked” returned if you specify user_name, use it to immediately show error and not ask user creds / chain selection
- is_trusted
boolean
(required) Example: 1Show only trusted chains or not (1, 0, “True”, “False”)
- user_name
string
(required) Example: LOCAL\USER1username
- event
string
(required) Example: NAMevent’s name
- endpoint_session_id
32 symbol id
(required) Example: f1be127607dc11e69bae080027983191ID of the endpoint
Destroy logon process: ¶
Destroy logon process:DELETE/api/v1/logon/{logon_process_id}?endpoint_session_id={endpoint_session_id}
- logon_process_id
string
(required) Example: JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVXID of the logon process
- endpoint_session_id
32 symbol id
(required) Example: f1be127607dc11e69bae080027983191ID of the endpoint
Authenticate by basic authentication header: ¶
Headers
Authorization: Basic <base64 of credentials>
Headers
Location: /account
Authenticate by basic authentication header:GET/account/basic
Credentials format:
login:method_name:password
Examples:
-
Authorization: {base64 of REPO\user1:LDAP_PASSWORD:1:user1_password}
-
Authorization: {base64 of TENANT\REPO\user1:HOTP:1:user1_password}
-
Authorization: {base64 of user1:HOTP:1:user1_password}
Login sessions ¶
Manage login sessions. Requires endpoint_session_id
Session lifetime (TTL): expire on inactivity 20 min, max lifetime 1440 min. It may change without notice. Please handle 434/433 HTTP codes to re-open session on-the fly and re-send request.
Read information about login session: ¶
Body
{
"user_id": "4f34e2882991440ddd0fd515e0d0236c",
"user_name": "LOCAL\ADMIN",
"sid": "GKWrJUBaeBA20KHzHAcmzihNrOgdXooh",
"repo_id": "3c9c1fd8061e11e6b224080027983191",
"repo_obj_id": "3caa08a0061e11e6b224080027983191",
"event_name": "",
"data_id": "",
"chain_id : "3cab08a0061e11e6b224080027983191"
}
Read information about login session:GET/api/v1/logon/sessions/{login_session_id}?endpoint_session_id={endpoint_session_id}
- login_session_id
string
(required) Example: JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVXID of the login session
- endpoint_session_id
32 symbol id
(required) Example: f1be127607dc11e69bae080027983191ID of the endpoint session
Delete login session: ¶
Delete login session:DELETE/api/v1/logon/sessions/{login_session_id}?endpoint_session_id={endpoint_session_id}
- login_session_id
string
(required) Example: JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVXID of the login session
- endpoint_session_id
32 symbol id
(required) Example: f1be127607dc11e69bae080027983191ID of the endpoint session
Enroll ¶
The service for creation authentication template (enroll). Requires login_session_id. Any user may start enroll process.
When process is finished, you create template from process result by using ‘user_template’ service. Until that, process result lives at the server for some time. Admin may assign process result to any user. User may assign process result to himself. It is possible that user1 created the process, tell enroll_process_id to user2 and he assigns it to himself.
Enroll procedure:
-
Start enroll process, grab enroll_process_id
-
Series of do_enroll calls. Client software sends ‘response’ to server until it replies ‘OK’ or ‘FAILED’
-
POST/PUT enroll_process_id and user_id to ‘user_templates’ service.
Start enroll process: ¶
Body
{
"method_id": "HOTP:1",
//login method to create authentication template for
"login_session_id":"B3XBHzwAHuPfHwMHfSjf3eVdV3glCa0o"
}
Body
{
"enroll_process_id": "JfgSCsAr89tR3tu92mKV3MWy4LWSmroU"
}
Start enroll process:POST/api/v1/enroll
Returns enroll_process_id. Use it in do_enroll method.
Common Do enroll: ¶
Body
{
"login_session_id": "rBT79CAz8AWh1o920OrHumx32iaToCU9",
"response": {
"secret": "0000000000000100",
"counter": 10
}
}
Body
{
"reason": "",
"method_id": "HOTP:1",
"status": "OK",
"msg": ""
}
Body
{
"login_session_id":"rBT79CAz8AWh1o920OrHumx32iaToCU9",
"response":{
"password":"0000000000000100",
}
}
Body
{
"status": "FAILED",
"msgid": "AUCORE-3028",
"reason": "",
"msg": "Secret and counter required"
}
Common Do enroll:POST/api/v1/enroll/{enroll_process_id}/do_enroll
Grab enroll_process_id and perform series of do_enroll calls while getting status ‘MORE_DATA’
When you get ‘status’=‘OK’, enroll process is finished. Now you want to create template from process result and link it to a user. POST/PUT enroll_process_id and user_id to ‘user_templates’ service. It will create authentication template and destroy waiting enroll process. User will become template owner.
Details about data and steps for specific methods read here
- enroll_process_id
string
(required) Example: JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVXID of the enroll process
Destroy pending/waiting process: ¶
Destroy pending/waiting process:DELETE/api/v1/enroll/{enroll_process_id}?login_session_id={login_session_id}
- enroll_process_id
string
(required) Example: JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVXID of the enroll process
- login_session_id
string
(required) Example: LRvql8GD946V7ryN8fesWBLhN1I7dpEeID of the login session
Policies ¶
Read object policies. Requires logged_session_id.
No writes. Setting policies is the task of admin UI.
Policies are defined for component. “Component policies” is dictionary of values. Value is any json-serializable object, maybe nested dict::
{ “component_id”: { “policy1”: value, “policy2”: value } }
Service returns effective policies. Effective is default component policies overridden by object-specific policies.
Read effective policies of user : ¶
Body
{
"policy": {
"LoginOptions": {
"component_id": "LoginOptions",
"data": {
"default_repos": [
"LOCAL"
],
"nondefault_repos": []
}
},
"HelpdeskOptions": {
"component_id": "HelpdeskOptions",
"data": {
"require_user_credentials": false
}
}
}
}
Read effective policies of user :GET/api/v1/users/{user_id}/effective_policy?login_session_id={login_session_id}
- user_id
string
(required) Example: 4f34e2882991440ddd0fd515e0d0236cID of the user
- login_session_id
string
(required) Example: JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVXID of the login session
Read info about specific component of effective user policy ¶
Body
{
"policy": {
"component_id": "TOTPMethod",
"data": {
"otp_window": 4,
"otp_format": "dec6",
"otp_period": 30,
"use_key_uri_format_qr": false
}
}
}
Read info about specific component of effective user policyGET/api/v1/users/{user_id}/effective_policy/{component}?login_session_id={login_session_id}
- user_id
string
(required) Example: 4f34e2882991440ddd0fd515e0d0236cID of the user
- login_session_id
string
(required) Example: JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVXID of the login session
- component
string
(required) Example: TOTPMethodComponent name
Read effective policies of endpoint : ¶
Body
{
"policy": {
"LoginOptions": {
"component_id": "LoginOptions",
"data": {
"default_repos": [
"LOCAL"
],
"nondefault_repos": []
}
},
"HelpdeskOptions": {
"component_id": "HelpdeskOptions",
"data": {
"require_user_credentials": false
}
}
}
}
Read effective policies of endpoint :GET/api/v1/endpoints/{endpoint_id}/effective_policy?endpoint_session_id={endpoint_session_id}
Note: return default policies(not effective)
- endpoint_id
string
(required) Example: 4f34e2882991440ddd0fd515e0d0236cID of the endpoint
- endpoint_session_id
string
(required) Example: JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVXID of the endpoint session
Read info about specific component of endpoint effective policy ¶
Body
{
"policy": {
"component_id": "TOTPMethod",
"data": {
"otp_window": 4,
"otp_format": "dec6",
"otp_period": 30,
"use_key_uri_format_qr": false
}
}
}
Read info about specific component of endpoint effective policyGET/api/v1/endpoints/{endpoint_id}/effective_policy/{component}?endpoint_session_id={endpoint_session_id}
Note: return default policies(not effective)
- endpoint_id
string
(required) Example: 4f34e2882991440ddd0fd515e0d0236cID of the endpoint
- endpoint_session_id
string
(required) Example: JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVXID of the endpoint session
- component
string
(required) Example: TOTPMethodComponent name
User data ¶
Access to data of the user.
Requires login_session_id of user or admin.
Data is defined for events. You may access data only of the event you are logged in. The event defines accessible data_id. Several events may share data_id. By default data_id = Event.name.upper().
Data permissions
-
Restricted records - admin and user can read, but only admin can write (restricted write)
-
Sensitive records - admin and user can write, but only user can read (restricted read)
Read all records of OSLogon data: ¶
Body
{
"data": {
"field3": {
"inner": "dict",
"is": {
"possible": "at",
"any": "level"
}
},
"field1": "new_value"
}
}
Read all records of OSLogon data:GET/api/v1/users/{user_id}/data/OSLogon?login_session_id={login_session_id}
Read data. Data consists of records. You may read all records or specific one. Add login_session_id as query-string parameter.
- user_id
string
(required) Example: 4f34e2882991440ddd0fd515e0d0236cID of the user
- login_session_id
string
(required) Example: rBT79CAz8AWh1o920OrHumx32iaToCU9ID of the login session id
Delete all records of OSLogon data: ¶
Body
null
Delete all records of OSLogon data:DELETE/api/v1/users/{user_id}/data/OSLogon?login_session_id={login_session_id}
- user_id
string
(required) Example: 4f34e2882991440ddd0fd515e0d0236cID of the user
- login_session_id
string
(required) Example: rBT79CAz8AWh1o920OrHumx32iaToCU9ID of the login session id
Delete password record only: ¶
Body
null
Delete password record only:DELETE/api/v1/users/{user_id}/data/OSLogon/password?login_session_id={login_session_id}
- user_id
string
(required) Example: 4f34e2882991440ddd0fd515e0d0236cID of the user
- login_session_id
string
(required) Example: rBT79CAz8AWh1o920OrHumx32iaToCU9ID of the login session id
Modify data: ¶
Body
{
"login_session_id": "LRvql8GD946V7ryN8fesWBLhN1I7dpEe",
"data": {
"field1": "a value"
}
}
Body
null
Body
{
"login_session_id": "LRvql8GD946V7ryN8fesWBLhN1I7dpEe",
"data": {
"field1": "new_value",
"field2": null,
"field3": {
"inner": "dict",
"is": {
"possible": "at",
"any": "level"
}
}
}
}
Body
null
Body
{
"login_session_id": "LRvql8GD946V7ryN8fesWBLhN1I7dpEe",
"data": {
"field3": {
"sub-record": "is added"
}
}
}
Body
null
Modify data:PATCH/api/v1/users/{user_id}/data/OSLogon
Create/modify record field1 for OSLogon data::
- user_id
string
(required) Example: 4f34e2882991440ddd0fd515e0d0236cID of the user
Delete user: ¶
Body
{}
Delete user:POST/api/v1/users/{user_id}/delete?login_session_id={login_session_id}
-
clear all templates
-
clear any stored passwords
-
clear any other user specific data
-
user can delete itself only, access to another user is not allowed
- user_id
string
(required) Example: 4f34e2882991440ddd0fd515e0d0236cID of the user
- login_session_id
string
(required) Example: rBT79CAz8AWh1o920OrHumx32iaToCU9ID of the login session id
User templates ¶
Access to user’s authentication templates. Requires login_session_id of user or admin.
List of user's linked templates: ¶
Body
{
"templates": [
{
"id": "3cb97b50061e11e6b224080027983191",
"method_id": "PASSWORD:1",
"method_title": "Password",
"is_enrolled": true,
"comment": ""
},
{
"id": "83523194b70919672b1157bc929ed67a",
"method_id": "CARD:1",
"method_title": "Card",
"is_enrolled": true,
"comment": ""
},
{
"id": "ff3f4e84203e6d7f56a0013074237071",
"method_id": "SECQUEST:1",
"method_title": "Security questions",
"is_enrolled": true,
"comment": ""
},
{
"id": "5194c010d968811da4ff47f843a3245e",
"method_id": "HOTP:1",
"method_title": "HOTP",
"is_enrolled": true,
"comment": ""
}
]
}
List of user's linked templates:GET/api/v1/users/{user_id}/templates?login_session_id={login_session_id}
- user_id
string
(required) Example: 4f34e2882991440ddd0fd515e0d0236cID of the user
- login_session_id
string
(required) Example: JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVXID of the login session
Create template, fill it from enroll session and link to user: ¶
Body
{
"login_session_id": "LRvql8GD946V7ryN8fesWBLhN1I7dpEe",
"enroll_process_id": "rlV6pSKXT4e0Ueq9hEXreL1ubkAdNYz2",
"category_id": "hex or empty",
"comment": "this is my comment"
}
Body
{
"auth_t_id": "3978beae0a3f11e68f20080027983191"
}
Create template, fill it from enroll session and link to user:POST/api/v1/users/{user_id}/templates
User becomes owner of created template. Existing enrolled session is destroyed (no way to create 2 templates from same enroll session).
- user_id
string
(required) Example: 4f34e2882991440ddd0fd515e0d0236cID of the user
Create template without data and link to the user: ¶
Body
{
"login_session_id": "LRvql8GD946V7ryN8fesWBLhN1I7dpEe",
"method_id": "EMAIL_OTP:1",
"category_id": "hex or empty",
"comment" : "this is my comment"
//optional
"unit_id " : "xxx"
}
Body
{
"auth_t_id": "b94292c20a3f11e68f20080027983191"
}
Create template without data and link to the user:POST/api/v1/users/{user_id}/templates
Template should not be enrolled template and should be filled later by PUT
- user_id
string
(required) Example: 4f34e2882991440ddd0fd515e0d0236cID of the user
Link existing template to user. ¶
Body
{
"auth_t_id": "3cb97b50061e11e6b224080027983191",
"login_session_id": "LRvql8GD946V7ryN8fesWBLhN1I7dpEe"
}
Body
{
"auth_t_id": "3cb97b50061e11e6b224080027983191"
}
Link existing template to user.POST/api/v1/users/{user_id}/templates
Passed logged_session_id must be of admin After that operation, user may login by ‘xxx’ template owned by some other user, but user can’t change it.
- user_id
string
(required) Example: 4f34e2882991440ddd0fd515e0d0236cID of the user
Fill auth template from enroll session and/or change comment: ¶
Body
{
"login_session_id": "JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVX",
"comment": "my new comment"
}
Body
null
Body
{
"login_session_id": "JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVX",
"enroll_process_id": "hex",
"comment": "12345",
}
Body
null
Fill auth template from enroll session and/or change comment:PUT/api/v1/users/{user_id}/templates/{auth_t_id}
- user_id
string
(required) Example: 4f34e2882991440ddd0fd515e0d0236cID of the user
- auth_t_id
string
(required) Example: 83523194b70919672b1157bc929ed67aID of the template
Unlink user and template: ¶
Body
null
Unlink user and template:DELETE/api/v1/users/{user_id}/templates/{auth_t_id}?login_session_id={login_session_id}
Template is deleted if logged_session_id is of template owner, otherwise - remains in db. It is possible that template become orphan in case when admin unlinks template and it is not linked with any user anymore.
- user_id
string
(required) Example: 4f34e2882991440ddd0fd515e0d0236cID of the user
- auth_t_id
string
(required) Example: 83523194b70919672b1157bc929ed67aID of the template
- login_session_id
string
(required) Example: JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVXID of the login session
Categories of templates ¶
Read authenticator categories. Requires login_session_id of any user authenticated to any event.
Read categories: ¶
Body
{ 'categories': [
{
'id': 'd3ad2dd0dca211e68604000c29ecee77',
'name': 'CAT1',
'desc': 'category one'},
{
'id': 'd3ad3528dca211e68604000c29ecee77',
'name': 'VAR',
'desc': 'bar'}]
}
Read categories:GET/api/v1/categories?login_session_id={login_session_id}
- login_session_id
string
(required) Example: B3XBHzwAHuPfHwMHfSjf3eVdV3glCa0o
Users ¶
User lookup by name, list of users.
Requires login_session_id. Logged user must be member of FULL ADMINS or ENROLL ADMINS.
User lookup by given user name: ¶
Body
{
"obj_id": "3caa08a0061e11e6b224080027983191",
"user_name": "LOCAL\ADMIN",
"last_fail_at": null,
"repo_id": "3c9c1fd8061e11e6b224080027983191",
"repo_name": "LOCAL",
"id": "4f34e2882991440ddd0fd515e0d0236c",
"loginame": "ADMIN"
}
User lookup by given user name:GET/api/v1/users?user_name={user_name}&login_session_id={login_session_id}
- user_name
string
(required) Example: LOCAL\ADMINUser name
- login_session_id
string
(required) Example: JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVXID of the login session
List of users: ¶
Body
{ 'repo': {'id': '18cfb964dc2111e69288000c29ecee77', 'name': 'FOO'},
'tenant': 'TOP',
'users': [ { 'id': '1897e91881407b0183bb2e6870d117ba',
'name': 'admin',
'sid': 'S-1-5-21-3303523795-413055529-2892985274-1104'},
{ 'id': '221bbf7ac0dab7ccd25821f53f4276e0',
'name': 'Administrator',
'sid': 'S-1-5-21-3303523795-413055529-2892985274-500'}]}
List of users:GET/api/v1/users?repo_name={repo_name}&page={page}&login_session_id={login_session_id}
LOCAL repo - all local users. LDAP repo - users listed in server database - those who tried to authenticate at least once.
- repo_name
string
(optional) Example: BAZZ- repo_id
hex
(required) Example: fc73edbbc04048b79edc68521485c518Either repo id or name required
- page
int
(optional) Example: 0Page number starts with 0. Page size is 50000. Result is unsorted
- login_session_id
string
(required) Example: JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVXID of the login session
Events ¶
Events manager rest api. Requires login_session_id. Logged user must be member of FULL ADMINS or ENROLL ADMINS.
List of events: ¶
Body
{
"events": [
{
"type": "Generic",
"endpoints": [],
"chains": [
{
"short_name": "",
"is_enabled": true,
"methods": [
"ANY"
],
"is_trusted": null,
"is_image_custom": false,
"grace_period": null,
"name": "Test-chain",
"id": "4c9f4524608911e7ae720800276d2239",
"apply_for_ep_owner": false,
"image_name": "ANY.png",
"required_chain_id": null,
"forced": false
}
],
"is_enabled": true,
"json_data": {},
"is_standard": false,
"is_geo_fencing_enabled": false,
"category_id": null,
"geo_zones": [],
"id": "4c9e8508608911e7ae720800276d2239",
"name": "TEST",
"forced": false
}
]
}
List of events:GET/api/v1/events?login_session_id={login_session_id}
- login_session_id
string
(required) Example: JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVXID of the login session
Create event: ¶
Body
{
"name": "Hello, world!",
"type": "Hello, world!",
"is_enabled": true,
"is_geo_fencing_enabled": true,
"category_id": "Hello, world!",
"geo_zones": [],
"chains": [],
"endpoints": []
}
Schema
{
"type": "object",
"properties": {
"name": {
"type": "string",
"description": "event name"
},
"type": {
"type": "string",
"description": "type of event, one of [\"Generic\",\"OSLogon\",\"PasswordStore\",\"OAuth2\", \"SAML2\"]"
},
"is_enabled": {
"type": "boolean",
"description": "is event enabled"
},
"is_geo_fencing_enabled": {
"type": "boolean",
"description": "is geo fencing enabled"
},
"category_id": {
"type": "string",
"description": "category id"
},
"geo_zones": {
"type": "array",
"description": "list of geo zones"
},
"chains": {
"type": "array",
"description": "list of geo zones"
},
"endpoints": {
"type": "array",
"description": "list of endpoints"
}
},
"$schema": "http://json-schema.org/draft-04/schema#"
}
Body
{
"forced": false,
"type": "Generic",
"endpoints": [
{
"is_local": false,
"device_id": "",
"software_type": "",
"name": "TEST_ENDPOINT",
"desc": "",
"typ": null,
"owner": null,
"is_trusted": false,
"is_enabled": true,
"id": "56ff565c608a11e7afe10800276d2239"
}
],
"is_standard": false,
"is_enabled": false,
"category_id": null,
"is_geo_fencing_enabled": false,
"name": "TEST_EVENT2",
"chains": [
{
"apply_for_ep_owner": false,
"image_name": "default",
"required_chain_id": null,
"is_enabled": true,
"forced": false,
"name": "chain",
"grace_period": null,
"short_name": "",
"id": "56ff8384608a11e7afe10800276d2239",
"is_image_custom": false,
"methods": [
"OTP:1",
"PASSWORD:1"
],
"is_trusted": null
}
],
"json_data": {},
"geo_zones": [],
"id": "59704798608a11e7afe10800276d2239"
}
Create event:POST/api/v1/events?login_session_id={login_session_id}
- login_session_id
string
(required) Example: JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVXID of the login session
Get event by event id: ¶
Body
{
"type": "Generic",
"endpoints": [],
"chains": [
{
"short_name": "",
"is_enabled": true,
"methods": [
"ANY"
],
"is_trusted": null,
"is_image_custom": false,
"grace_period": null,
"name": "Test-chain",
"id": "4c9f4524608911e7ae720800276d2239",
"apply_for_ep_owner": false,
"image_name": "ANY.png",
"required_chain_id": null,
"forced": false
}
],
"is_enabled": true,
"json_data": {},
"is_standard": false,
"is_geo_fencing_enabled": false,
"category_id": null,
"geo_zones": [],
"id": "4c9e8508608911e7ae720800276d2239",
"name": "TEST",
"forced": false
}
Get event by event id:GET/api/v1/events/{event_id}?login_session_id={login_session_id}
- event_id
string
(required) Example: 59704798608a11e7afe10800276d2239ID of the event
- login_session_id
string
(required) Example: JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVXID of the login session
Update event: ¶
Body
{
"name": "Hello, world!",
"type": "Hello, world!",
"is_enabled": true,
"is_geo_fencing_enabled": true,
"category_id": "Hello, world!",
"geo_zones": [],
"chains": [],
"endpoints": []
}
Schema
{
"type": "object",
"properties": {
"name": {
"type": "string",
"description": "event name"
},
"type": {
"type": "string",
"description": "type of event, one of [\"Generic\",\"OSLogon\",\"PasswordStore\",\"OAuth2\", \"SAML2\"]"
},
"is_enabled": {
"type": "boolean",
"description": "is event enabled"
},
"is_geo_fencing_enabled": {
"type": "boolean",
"description": "is geo fencing enabled"
},
"category_id": {
"type": "string",
"description": "category id"
},
"geo_zones": {
"type": "array",
"description": "list of geo zones"
},
"chains": {
"type": "array",
"description": "list of chains"
},
"endpoints": {
"type": "array",
"description": "list of endpoints"
}
},
"$schema": "http://json-schema.org/draft-04/schema#"
}
Body
{
"is_geo_fencing_enabled": false,
"forced": false,
"type": "Generic",
"json_data": {},
"id": "a131020c608a11e7a1810800276d2239",
"geo_zones": [],
"chains": [],
"category_id": null,
"is_enabled": false,
"name": "TEST2",
"is_standard": false,
"endpoints": [
{
"is_local": false,
"software_type": "",
"is_trusted": false,
"desc": "",
"typ": null,
"is_enabled": true,
"device_id": "",
"name": "TEST_ENDPOINT",
"owner": null,
"id": "a135281e608a11e7a1810800276d2239"
}
]
}
Update event:PUT/api/v1/events/{event_id}?login_session_id={login_session_id}
- event_id
string
(required) Example: JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVXID of the event
- login_session_id
string
(required) Example: JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVXID of the login session
Delete event: ¶
Delete event:DELETE/api/v1/events/{event_id}?login_session_id={login_session_id}
- event_id
string
(required) Example: 59704798608a11e7afe10800276d2239ID of the event
- login_session_id
string
(required) Example: JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVXID of the login session
Body
{
"login_session_id": "B3XBHzwAHuPfHwMHfSjf3eVdV3glCa0o"
}
Body
{
"server_id": null,
"cookie_value": "300e82d5d1f31108cd064155728c1dda"
}
Body
{
"user_id": "4f34e2882991440ddd0fd515e0d0236c",
"user_name": "LOCAL\ADMIN",
"sid": "GKWrJUBaeBA20KHzHAcmzihNrOgdXooh",
"repo_id": "3c9c1fd8061e11e6b224080027983191",
"repo_obj_id": "3caa08a0061e11e6b224080027983191",
"event_name": "",
"data_id": ""
}
Body
{
"login_session_data": "296e9f9d8c19d7f9f....2a674855e3f574cb9e272bf68"
}
Chain image ¶
Provides chain images. This API is not restricted by endpoint/logon session.
Load chain image: ¶
Load chain image:GET/api/v1/chain_image/{image_name}
Do not worry about image cache invalidation, possible to cache forever. When admin uploads new image of the chain, ‘chain.image_name’ changes.
Returns:
PNG file, with appropriate content-type and cache settings. You may use it in src attribute of html image.
Returns default image if image_name is default
.
- image_name
string
(required) Example: 4f34e2882991440ddd0fd515e0d0236cvalue of chain.image-name
Status ¶
Read server status and version. Requires endpoint_session_id to read version.
Get server status and version: ¶
Body
{
"status": "OK",
"multitenancy_mode": false,
"version": "5.4"
}
Get server status and version:GET/api/v1/status
External monitors may check this URL as health indicator. Does not check that database is up and status of the license. Checks that the server is reachable and the web service is running.
Read exact server version, check license, FIPS mode state and system stats: ¶
Body
{
"endpoint_session_id": "PefYcnXk8QnqtYxXoaZjKES4pVrLaKzI", # optional
"login_session_id": "IxJq1C5Gt6VxGeF65YjKl5R99Q70Lf9H", # optional
"tenant_name": "TOP" # optional
}
Body
{
"status": "OK/NO_LICENSE",
"multitenancy_mode": false,
"fips_mode": false,
"version": "5.4-108",
"stats": {
"mem": {
"free": 961,
"total": 2013,
"usage": 52
},
"disk": {
"free": 4437,
"used": 2856,
"reserved": 234,
"usage": 40
},
"cpu": {
"usage": 4
}
}
}
Read exact server version, check license, FIPS mode state and system stats:POST/api/v1/status
-
Returns HTTP code 200 only in case everything is OK.
-
Checks the license of tenant_name (“TOP”, by default).
-
Returns HTTP code 555 if NO_LICENSE.
-
Returns exact version number.
-
Returns system stats if admin’s
login_session_id
provided. -
External monitors may check this URL as health indicator.
-
No endpoint session in the request - no exact version, still check the license.
-
No admin login session in the request - no system stats.
-
All the sizes in stats are in megabytes.
Logon by Basic Auth to /account ¶
Provides basic authentication.
Authenticate by basic authentication header: ¶
Headers
Authorization: Basic <base64 of credentials>
Headers
Location: /account
Authenticate by basic authentication header:GET/account/basic
Credentials format:
login:method_name:password
Examples:
-
Authorization: {base64 of REPO\user1:LDAP_PASSWORD:1:user1_password}
-
Authorization: {base64 of TENANT\REPO\user1:HOTP:1:user1_password}
-
Authorization: {base64 of user1:HOTP:1:user1_password}
Methods ¶
Do PASSWORD:1 enroll: ¶
Body
{
"login_session_id": "rBT79CAz8AWh1o920OrHumx32iaToCU9",
"response": {
"password": "super_password"
}
}
Body
{
"reason": "",
"method_id": "PASSWORD:1",
"status": "OK",
"msg": ""
}
Do PASSWORD:1 enroll:POST/api/v1/enroll/{enroll_process_id}/do_enroll
PASSWORD:1 enroll steps:
- Send request with password to do_enroll and check status
Error reasons:
-
PASSWORD_BAD_CONFIRMATION
-
PASSWORD_EMPTY
-
PASSWORD_UNCHANGED
-
PASSWORD_TOO_SHORT
-
PASSWORD_TOO_SIMPLE
- enroll_process_id
string
(required) Example: JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVXID of the enroll process
Do PASSWORD:1 logon: ¶
Body
{
"endpoint_session_id": "P7p3JJuenqo0SnyJ4HnbRbbJIqDhtt0u",
"response": {
"answer": "my-password"
}
}
Body
{
"user_id": "4f34e2882991440ddd0fd515e0d0236c",
"completed_methods": [
"PASSWORD:1"
],
"repo_id": "3c9c1fd8061e11e6b224080027983191",
"status": "OK",
"repo_obj_id": "3caa08a0061e11e6b224080027983191",
"event_data_id": "",
"logon_process_id": "jImh3267QFyZ9pXjSGPj5EIhpKKU8Xu9",
"user_name": "LOCAL\ADMIN",
"login_session_id": "TmPxkC98vF4FGhDvqedjXItbmGjVJYTD",
"plugins": [],
"event_name": "",
"chains": [
{
"name": "TEST CHAIN",
"position": 1000,
"id_hex": null,
"apply_for_ep_owner": false,
"required_chain_id_hex": null,
"methods": [
"ANY"
],
"short_name": "",
"image_name": "ANY.png",
"is_trusted": null,
"is_enabled": true,
"grace_period": null
}
],
"current_method": "PASSWORD:1",
"msgid": "AUCORE-2001",
"msg": "Welcome!",
"data_id": ""
}
Do PASSWORD:1 logon:POST/api/v1/logon/{logon_process_id}/do_logon
PASSWORD:1 logon steps:
- Send password to do_logon and check status
Error reasons:
-
PASSWORD_UNDEFINED
-
PASSWORD_WRONG
-
PASSWORD_EXPIRED
- logon_process_id
32 symbol id
(required) Example: TTPeglOJxUZ3R8IV3e5vwUgUQACs8fBSID of the logon process
Do EMERG_PASSWORD:1 enroll: ¶
Body
{
"login_session_id": "rBT79CAz8AWh1o920OrHumx32iaToCU9",
"response": {
"password": "emerg_password"
}
}
Body
{
"reason": "",
"method_id": "EMERG_PASSWORD:1",
"status": "OK",
"msg": ""
}
Do EMERG_PASSWORD:1 enroll:POST/api/v1/enroll/{enroll_process_id}/do_enroll
EMERG_PASSWORD:1 enroll steps:
- Send request with password to do_enroll and check status
- enroll_process_id
string
(required) Example: JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVXID of the enroll process
Do EMERG_PASSWORD:1 logon: ¶
Body
{
"endpoint_session_id": "P7p3JJuenqo0SnyJ4HnbRbbJIqDhtt0u",
"response": {
"answer": "my-emergency-password"
}
}
Body
{
"user_id": "4f34e2882991440ddd0fd515e0d0236c",
"completed_methods": [
"EMERG_PASSWORD:1"
],
"repo_id": "3c9c1fd8061e11e6b224080027983191",
"status": "OK",
"repo_obj_id": "3caa08a0061e11e6b224080027983191",
"event_data_id": "",
"logon_process_id": "jImh3267QFyZ9pXjSGPj5EIhpKKU8Xu9",
"user_name": "LOCAL\ADMIN",
"login_session_id": "TmPxkC98vF4FGhDvqedjXItbmGjVJYTD",
"plugins": [],
"event_name": "",
"chains": [
{
"name": "TEST CHAIN",
"position": 1000,
"id_hex": null,
"apply_for_ep_owner": false,
"required_chain_id_hex": null,
"methods": [
"ANY"
],
"short_name": "",
"image_name": "ANY.png",
"is_trusted": null,
"is_enabled": true,
"grace_period": null
}
],
"current_method": "EMERG_PASSWORD:1",
"msgid": "AUCORE-2001",
"msg": "Welcome!",
"data_id": ""
}
Do EMERG_PASSWORD:1 logon:POST/api/v1/logon/{logon_process_id}/do_logon
EMERG_PASSWORD:1 logon steps:
- Send password to do_logon and check status
Error reasons:
-
EMERG_PASSWORD_EXPIRED
-
EMERG_PASSWORD_INEFFECTIVE
-
EMERG_PASSWORD_EXHAUSTED
- logon_process_id
32 symbol id
(required) Example: TTPeglOJxUZ3R8IV3e5vwUgUQACs8fBSID of the logon process
Do LDAP_PASSWORD:1 enroll: ¶
Body
{
"login_session_id": "IxJq1C5Gt6VxGeF65YjKl5R99Q70Lf9H"
}
Body
{
"reason": "",
"method_id": "LDAP_PASSWORD:1",
"status": "OK",
"msg": ""
}
Do LDAP_PASSWORD:1 enroll:POST/api/v1/enroll/{enroll_process_id}/do_enroll
LDAP_PASSWORD:1 enroll steps:
- Send empty request to do_enroll and check status
- enroll_process_id
string
(required) Example: JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVXID of the enroll process
Do LDAP_PASSWORD:1 logon: ¶
Body
{
"endpoint_session_id": "P7p3JJuenqo0SnyJ4HnbRbbJIqDhtt0u",
"response": {
"answer": "my-ldap-password"
}
}
Body
{
"user_id": "4f34e2882991440ddd0fd515e0d0236c",
"completed_methods": [
"LDAP_PASSWORD:1"
],
"repo_id": "3c9c1fd8061e11e6b224080027983191",
"status": "OK",
"repo_obj_id": "3caa08a0061e11e6b224080027983191",
"event_data_id": "",
"logon_process_id": "jImh3267QFyZ9pXjSGPj5EIhpKKU8Xu9",
"user_name": "LOCAL\ADMIN",
"login_session_id": "TmPxkC98vF4FGhDvqedjXItbmGjVJYTD",
"plugins": [],
"event_name": "",
"chains": [
{
"name": "TEST CHAIN",
"position": 1000,
"id_hex": null,
"apply_for_ep_owner": false,
"required_chain_id_hex": null,
"methods": [
"ANY"
],
"short_name": "",
"image_name": "ANY.png",
"is_trusted": null,
"is_enabled": true,
"grace_period": null
}
],
"current_method": "LDAP_PASSWORD:1",
"msgid": "AUCORE-2001",
"msg": "Welcome!",
"data_id": ""
}
Do LDAP_PASSWORD:1 logon:POST/api/v1/logon/{logon_process_id}/do_logon
LDAP_PASSWORD:1 logon steps:
- Send password to do_logon and check status
Error reasons:
-
LDAP_PASSWORD_UNDEFINED
-
LDAP_PASSWORD_WRONG
-
LDAP_PASSWORD_ACCOUNT_RESTRICTION
-
LDAP_PASSWORD_INVALID_LOGON_HOURS
-
LDAP_PASSWORD_INVALID_WORKSTATION
-
LDAP_PASSWORD_ACCOUNT_DISABLED
-
LDAP_PASSWORD_TOO_MANY_CONTEXT_IDS
-
LDAP_PASSWORD_ACCOUNT_EXPIRED
-
LDAP_PASSWORD_MUST_CHANGE
-
LDAP_PASSWORD_ACCOUNT_LOCKED_OUT
- logon_process_id
32 symbol id
(required) Example: jImh3267QFyZ9pXjSGPj5EIhpKKU8Xu9ID of the logon process
Do TOTP:1 enroll: ¶
Body
{
"login_session_id": "rBT79CAz8AWh1o920OrHumx32iaToCU9",
"response": {
"secret": "0000000000000100"
}
}
Body
{
"reason": "",
"method_id": "TOTP:1",
"status": "OK",
"msg": ""
}
Do TOTP:1 enroll:POST/api/v1/enroll/{enroll_process_id}/do_enroll
TOTP:1 enroll steps:
- Send request with secret to do_enroll and check status
Error reasons:
- TOTP_SCAN_QR
TOTP auth_template is shared secret and acceptance period (oath default is 30 sec)
Request fields:
-
secret, hex or base32 string
-
is_base32_secret, optional, default False
-
period, optional, default 30
-
otp_format, optional, one of [dec4, dec6, dec7, dec8]
-
hash, optional, one of hashlib.algorithms_guaranteed
- enroll_process_id
string
(required) Example: JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVXID of the enroll process
Do TOTP:1 logon: ¶
Body
{
"endpoint_session_id": "P7p3JJuenqo0SnyJ4HnbRbbJIqDhtt0u",
"response": {
"answer": "123456"
}
}
Body
{
"event_data_id": "",
"msgid": "AUCORE-2001",
"logon_process_id": "f0fzSCkoGcCFMJTDRalx5nnsC9zEYHBQ",
"login_session_id": "9QHUl8xbBNo4PUO6UXYzbHltNaMmNpSL",
"current_method": "TOTP:1",
"chains": [
{
"position": 1000,
"short_name": "",
"grace_period": null,
"methods": [
"ANY"
],
"is_enabled": true,
"name": "TEST CHAIN",
"id_hex": null,
"required_chain_id_hex": null,
"is_trusted": null,
"apply_for_ep_owner": false,
"image_name": "ANY.png"
}
],
"repo_obj_id": "c0fd1ab20b0e11e6b224080027983191",
"plugins": [],
"msg": "Welcome!",
"status": "OK",
"user_id": "84a0a279d391de4b2fd70ea38b46d3ce",
"data_id": "",
"event_name": "",
"repo_id": "c0eeb0ee0b0e11e6b224080027983191",
"completed_methods": [
"TOTP:1"
],
"user_name": "LOCAL\ADMIN"
}
Do TOTP:1 logon:POST/api/v1/logon/{logon_process_id}/do_logon
TOTP:1 logon steps:
- Send otp-password to do_logon and check status
Error reasons:
-
TOTP_PASSWORD_UNDEFINED
-
TOTP_WAIT_MINUTE
-
TOTP_PASSWORD_WRONG
- logon_process_id
32 symbol id
(required) Example: f0fzSCkoGcCFMJTDRalx5nnsC9zEYHBQID of the logon process
Do HOTP:1 enroll: ¶
Body
{
"login_session_id": "rBT79CAz8AWh1o920OrHumx32iaToCU9",
"response": {
"secret": "0000000000000100",
"counter": 10
}
}
Body
{
"reason": "",
"method_id": "HOTP:1",
"status": "OK",
"msg": ""
}
Body
{
"login_session_id":"rBT79CAz8AWh1o920OrHumx32iaToCU9",
"response":{
"secret": "0000000000000100",
"hotp1": "472265",
"hotp2": "194708"
"hotp3": "468067"
}
}
Body
{
"reason": "",
"method_id": "HOTP:1",
"status": "OK",
"msg": ""
}
Do HOTP:1 enroll:POST/api/v1/enroll/{enroll_process_id}/do_enroll
HOTP:1 enroll steps:
- Send request with secret and counter (or 3 hotp and secret) to do_enroll and check status
Remember user device (smartphone etc.) HOTP secret and algoritm parameters
HOTP auth_template is shared secret and starting counter
Request fields:
-
secret, hex string, required
-
counter, integer, required
-
hash, optional, one of hashlib.algorithms_guaranteed
-
token_public_id, optional, Yubikey tokens can be configured to insert their public ID before OTP
-
hotp1, hotp2, hotp3, consecutive otp password, required
-
secret, hex string, required
-
hash, optional, one of hashlib.algorithms_guaranteed
-
token_public_id, optional, Yubikey tokens can be configured to insert their public ID before OTP
- enroll_process_id
string
(required) Example: JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVXID of the enroll process
Do HOTP:1 logon: ¶
Body
{
"endpoint_session_id": "P7p3JJuenqo0SnyJ4HnbRbbJIqDhtt0u",
"response": {
"answer": "123456"
}
}
Body
{
"event_data_id": "",
"msgid": "AUCORE-2001",
"logon_process_id": "fae8kchtfY2p2t3W0OWrCS3UHu3nf6eM",
"login_session_id": "iCFCUvGVK9zlDQtWa018UWKUwuNHEYcn",
"current_method": "HOTP:1",
"chains": [
{
"position": 1000,
"short_name": "",
"grace_period": null,
"methods": [
"ANY"
],
"is_enabled": true,
"name": "TEST CHAIN",
"id_hex": null,
"required_chain_id_hex": null,
"is_trusted": null,
"apply_for_ep_owner": false,
"image_name": "ANY.png"
}
],
"repo_obj_id": "c0fd1ab20b0e11e6b224080027983191",
"plugins": [],
"msg": "Welcome!",
"status": "OK",
"user_id": "84a0a279d391de4b2fd70ea38b46d3ce",
"data_id": "",
"event_name": "",
"repo_id": "c0eeb0ee0b0e11e6b224080027983191",
"completed_methods": [
"HOTP:1"
],
"user_name": "LOCAL\ADMIN"
}
Do HOTP:1 logon:POST/api/v1/logon/{logon_process_id}/do_logon
HOTP:1 logon steps:
- Send otp-password to do_logon and check status
Error reasons:
-
HOTP_PASSWORD_WRONG
-
HOTP_PASSWORD_UNDEFINED
- logon_process_id
32 symbol id
(required) Example: fae8kchtfY2p2t3W0OWrCS3UHu3nf6eMID of the logon process
Do SMS_OTP:1 enroll: ¶
Body
{
"login_session_id":"rBT79CAz8AWh1o920OrHumx32iaToCU9",
"response":
{
"mobile_phone" : "+123456789" // (optional, if missed phone from repository will be used)
}
}
Body
{
"reason": "",
"method_id": "SMS_OTP:1",
"status": "OK",
"msg": ""
}
Do SMS_OTP:1 enroll:POST/api/v1/enroll/{enroll_process_id}/do_enroll
SMS_OTP:1 enroll steps:
- Send empty request to do_enroll and check status
- enroll_process_id
string
(required) Example: JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVXID of the enroll process
Do SMS_OTP:1 logon: ¶
Body
{
"endpoint_session_id": "eRPr3yB92MgYySHk8I8yj5twuuf3PAUa"
}
Body
{
"event_name": "",
"current_method": "SMS_OTP:1",
"reason": "OTP_WAITING_PASSWORD",
"msgid": "AUCORE-2012",
"completed_methods": [],
"logon_process_id": "T3Hc3fwHIN4pyJ9gEBaWC416gKRTANQv",
"plugins": [],
"status": "MORE_DATA",
"event_data_id": "",
"msg": "OTP password sent, please enter",
"chains": [
{
"short_name": "",
"position": 1000,
"id_hex": null,
"required_chain_id_hex": null,
"is_trusted": null,
"image_name": "ANY.png",
"is_enabled": true,
"methods": [
"ANY"
],
"name": "TEST CHAIN",
"apply_for_ep_owner": false,
"grace_period": null
}
]
}
Body
{
"endpoint_session_id": "eRPr3yB92MgYySHk8I8yj5twuuf3PAUa",
"response": {
"answer": "246635"
}
}
Body
{
"user_id": "dfd5acc4dc8fdb8c712d8b9c8e8a10ad",
"user_name": "LDS\Admin",
"data_id": "",
"event_data_id": "",
"status": "OK",
"msgid": "AUCORE-2001",
"completed_methods": ["SMS_OTP:1"],
"msg": "Welcome!",
"repo_id": "4c8449de0c4f11e6b18c080027983191",
"event_name": "",
"chains": [
{
"short_name": "",
"position": 1000,
"id_hex": null,
"required_chain_id_hex": null,
"is_trusted": null,
"image_name": "ANY.png",
"is_enabled": true,
"methods": ["ANY"],
"name": "TEST CHAIN",
"apply_for_ep_owner": false,
"grace_period": null
}
],
"repo_obj_id": "11a2916c4521e14e83ad19b0165311d1",
"user_mobile_phone": ["+12345678901"],
"current_method": "SMS_OTP:1",
"user_sid_hex": "0105000016ef19f498f9c6c5e52ce57b56b2314ba46e9bdd41d24e5d",
"user_cn": "Admin",
"logon_process_id": "T3Hc3fwHIN4pyJ9gEBaWC416gKRTANQv",
"plugins": [],
"user_sid": "S-1-384768500-3318151576-2078616805-1261548118-3717951140-1565446721",
"login_session_id": "HG72YHJloobSOVuIQAobht2tSeSnvl6Z",
"user_dn": "CN=Admin,CN=test"
}
Body
{
"endpoint_session_id": "eRPr3yB92MgYySHk8I8yj5twuuf3PAUa",
"response": {
"answer": "795191"
}
}
Body
{
"msg": "Wrong answer. Please try again",
"reason": "OTP_WRONG_PASSWORD",
"current_method": "SMS_OTP:1",
"plugins": [],
"status": "MORE_DATA",
"chains": [
{
"short_name": "",
"id_hex": null,
"is_enabled": true,
"position": 1000,
"image_name": "ANY.png",
"methods": [
"ANY"
],
"required_chain_id_hex": null,
"name": "TEST CHAIN",
"grace_period": null,
"apply_for_ep_owner": false,
"is_trusted": null
}
],
"event_data_id": "",
"event_name": "",
"logon_process_id": "T3Hc3fwHIN4pyJ9gEBaWC416gKRTANQv",
"msgid": "AUCORE-2015",
"completed_methods": []
}
Do SMS_OTP:1 logon:POST/api/v1/logon/{logon_process_id}/do_logon
SMS_OTP:1 logon steps:
-
Send empty request to do_logon to send sms
-
Send request with password from received sms to do_logon and check status
Error reasons:
-
OTP_CANNOT_SEND
-
OTP_TOO_MANY_SENT
-
OTP_WAITING_PASSWORD
-
OTP_NO_PASSWORD
-
OTP_PASSWORD_EXPIRED
-
OTP_WRONG_PASSWORD
-
OTP_TOO_MANY_REQUESTS
-
OTP_NO_EXPLICIT_RECIPIENT
- logon_process_id
32 symbol id
(required) Example: T3Hc3fwHIN4pyJ9gEBaWC416gKRTANQvID of the logon process
Do SMS_OTP:1 method call: ¶
Body
{
"endpoint_session_id":"rBT79CAz8AWh1o920OrHumx32iaToCU9", (trusted endpoint required)
"mobile_phone": "+123456789"
}
Body
{
"otp": "123456"
}
Do SMS_OTP:1 method call:POST/api/v1/logon_method/SMS_OTP:1
SMS_OTP:1 method steps:
- Send recipient mobile phone in request and check OTP
Do EMAIL_OTP:1 enroll: ¶
Body
{
"login_session_id":"rBT79CAz8AWh1o920OrHumx32iaToCU9",
"response":
{
"email" : "test@domain.com" //(optional, if missed mail from repository will be used)
}
}
Body
{
"reason": "",
"method_id": "EMAIL_OTP:1",
"status": "OK",
"msg": ""
}
Do EMAIL_OTP:1 enroll:POST/api/v1/enroll/{enroll_process_id}/do_enroll
EMAIL_OTP:1 enroll steps:
- Send empty request to do_enroll and check status
- enroll_process_id
string
(required) Example: JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVXID of the enroll process
Do EMAIL_OTP:1 logon: ¶
Body
{
"endpoint_session_id": "caclPKkiAOkbwUMyX6kvMlIVtOdMwgvW"
}
Body
{
"event_name": "",
"current_method": "EMAIL_OTP:1",
"reason": "OTP_WAITING_PASSWORD",
"msgid": "AUCORE-2012",
"completed_methods": [],
"logon_process_id": "DjCTzG4tuJdwTmdWhtkbUggbertp2d6E",
"plugins": [],
"status": "MORE_DATA",
"event_data_id": "",
"msg": "OTP password sent, please enter",
"chains": [
{
"short_name": "",
"position": 1000,
"id_hex": null,
"required_chain_id_hex": null,
"is_trusted": null,
"image_name": "ANY.png",
"is_enabled": true,
"methods": [
"ANY"
],
"name": "TEST CHAIN",
"apply_for_ep_owner": false,
"grace_period": null
}
]
}
Body
{
"endpoint_session_id": "caclPKkiAOkbwUMyX6kvMlIVtOdMwgvW",
"response": {
"answer": "795199"
}
}
Body
{
"user_id": "470671fbf0227d268c2cc7d6b756e2c0",
"user_name": "LDS\Admin",
"data_id": "",
"event_data_id": "",
"status": "OK",
"msgid": "AUCORE-2001",
"completed_methods": ["EMAIL_OTP:1"],
"msg": "Welcome!",
"repo_id": "d65f2f4e0c4e11e6b18c080027983191",
"event_name": "",
"user_email": "test@localhost",
"repo_obj_id": "11a2916c4521e14e83ad19b0165311d1",
"current_method": "EMAIL_OTP:1",
"user_sid_hex": "0105000016ef19f498f9c6c5e52ce57b56b2314ba46e9bdd41d24e5d",
"chains": [
{
"short_name": "",
"position": 1000,
"id_hex": null,
"required_chain_id_hex": null,
"is_trusted": null,
"image_name": "ANY.png",
"is_enabled": true,
"methods": ["ANY"],
"name": "TEST CHAIN",
"apply_for_ep_owner": false,
"grace_period": null
}
],
"user_cn": "Admin",
"logon_process_id": "DjCTzG4tuJdwTmdWhtkbUggbertp2d6E",
"plugins": [],
"user_sid": "S-1-384768500-3318151576-2078616805-1261548118-3717951140-1565446721",
"login_session_id": "VqtNECMXwMIRDLqbOFG8pBbTbG8lfSTT",
"user_dn": "CN=Admin,CN=test"
}
Body
{
"endpoint_session_id": "caclPKkiAOkbwUMyX6kvMlIVtOdMwgvW",
"response": {
"answer": "795191"
}
}
Body
{
"msg": "Wrong answer. Please try again",
"reason": "OTP_WRONG_PASSWORD",
"current_method": "EMAIL_OTP:1",
"plugins": [],
"status": "MORE_DATA",
"chains": [
{
"short_name": "",
"id_hex": null,
"is_enabled": true,
"position": 1000,
"image_name": "ANY.png",
"methods": [
"ANY"
],
"required_chain_id_hex": null,
"name": "TEST CHAIN",
"grace_period": null,
"apply_for_ep_owner": false,
"is_trusted": null
}
],
"event_data_id": "",
"event_name": "",
"logon_process_id": "DjCTzG4tuJdwTmdWhtkbUggbertp2d6E",
"msgid": "AUCORE-2015",
"completed_methods": []
}
Do EMAIL_OTP:1 logon:POST/api/v1/logon/{logon_process_id}/do_logon
EMAIL_OTP:1 logon steps:
-
Send empty request to do_logon to send email
-
Send request with password from received email to do_logon and check status
Error reasons:
-
OTP_CANNOT_SEND
-
OTP_TOO_MANY_SENT
-
OTP_WAITING_PASSWORD
-
OTP_NO_PASSWORD
-
OTP_PASSWORD_EXPIRED
-
OTP_WRONG_PASSWORD
-
OTP_TOO_MANY_REQUESTS
-
OTP_NO_EXPLICIT_RECIPIENT
- logon_process_id
32 symbol id
(required) Example: DjCTzG4tuJdwTmdWhtkbUggbertp2d6EID of the logon process
Do EMAIL_OTP:1 method call: ¶
Body
{
"endpoint_session_id": "rBT79CAz8AWh1o920OrHumx32iaToCU9", (trusted endpoint required)
"email": "test@domain.com"
}
Body
{
"otp": "123456"
}
Do EMAIL_OTP:1 method call:POST/api/v1/logon_method/EMAIL_OTP:1
EMAIL_OTP:1 method steps:
- Send recipient email in request and check OTP
Do VOICE_OTP:1 enroll: ¶
Body
{
"login_session_id":"rBT79CAz8AWh1o920OrHumx32iaToCU9"
'mobile_phone' : '+123456789' (optional, if missed phone from repository will be used)
}
Body
{
"reason": "",
"method_id": "VOICE_OTP:1",
"status": "OK",
"msg": ""
}
Do VOICE_OTP:1 enroll:POST/api/v1/enroll/{enroll_process_id}/do_enroll
VOICE_OTP:1 enroll steps:
- Send request to do_enroll and check status
- enroll_process_id
string
(required) Example: JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVXID of the enroll process
Do VOICE_OTP:1 logon: ¶
Body
{
"endpoint_session_id": "eRPr3yB92MgYySHk8I8yj5twuuf3PAUa"
}
Body
{
"event_name": "",
"current_method": "VOICE_OTP:1",
"reason": "OTP_WAITING_PASSWORD",
"msgid": "AUCORE-2012",
"completed_methods": [],
"logon_process_id": "T3Hc3fwHIN4pyJ9gEBaWC416gKRTANQv",
"plugins": [],
"status": "MORE_DATA",
"event_data_id": "",
"msg": "OTP password sent, please enter",
"chains": [
{
"short_name": "",
"position": 1000,
"id_hex": null,
"required_chain_id_hex": null,
"is_trusted": null,
"image_name": "ANY.png",
"is_enabled": true,
"methods": [
"ANY"
],
"name": "TEST CHAIN",
"apply_for_ep_owner": false,
"grace_period": null
}
]
}
Body
{
"endpoint_session_id": "eRPr3yB92MgYySHk8I8yj5twuuf3PAUa",
"response": {
"answer": "246635"
}
}
Body
{
"user_id": "dfd5acc4dc8fdb8c712d8b9c8e8a10ad",
"user_name": "LDS\Admin",
"data_id": "",
"event_data_id": "",
"status": "OK",
"msgid": "AUCORE-2001",
"completed_methods": ["VOICE_OTP:1"],
"msg": "Welcome!",
"repo_id": "4c8449de0c4f11e6b18c080027983191",
"event_name": "",
"chains": [
{
"short_name": "",
"position": 1000,
"id_hex": null,
"required_chain_id_hex": null,
"is_trusted": null,
"image_name": "ANY.png",
"is_enabled": true,
"methods": ["ANY"],
"name": "TEST CHAIN",
"apply_for_ep_owner": false,
"grace_period": null
}
],
"repo_obj_id": "11a2916c4521e14e83ad19b0165311d1",
"user_mobile_phone": ["+12345678901"],
"current_method": "VOICE_OTP:1",
"user_sid_hex": "0105000016ef19f498f9c6c5e52ce57b56b2314ba46e9bdd41d24e5d",
"user_cn": "Admin",
"logon_process_id": "T3Hc3fwHIN4pyJ9gEBaWC416gKRTANQv",
"plugins": [],
"user_sid": "S-1-384768500-3318151576-2078616805-1261548118-3717951140-1565446721",
"login_session_id": "HG72YHJloobSOVuIQAobht2tSeSnvl6Z",
"user_dn": "CN=Admin,CN=test"
}
Body
{
"endpoint_session_id": "eRPr3yB92MgYySHk8I8yj5twuuf3PAUa",
"response": {
"answer": "795191"
}
}
Body
{
"msg": "Wrong answer. Please try again",
"reason": "OTP_WRONG_PASSWORD",
"current_method": "VOICE_OTP:1",
"plugins": [],
"status": "MORE_DATA",
"chains": [
{
"short_name": "",
"id_hex": null,
"is_enabled": true,
"position": 1000,
"image_name": "ANY.png",
"methods": [
"ANY"
],
"required_chain_id_hex": null,
"name": "TEST CHAIN",
"grace_period": null,
"apply_for_ep_owner": false,
"is_trusted": null
}
],
"event_data_id": "",
"event_name": "",
"logon_process_id": "T3Hc3fwHIN4pyJ9gEBaWC416gKRTANQv",
"msgid": "AUCORE-2015",
"completed_methods": []
}
Do VOICE_OTP:1 logon:POST/api/v1/logon/{logon_process_id}/do_logon
VOICE_OTP:1 logon steps:
-
Send empty request to do_logon to initiate call
-
Send request with password from call to do_logon and check status
Error reasons:
-
OTP_CANNOT_SEND
-
OTP_TOO_MANY_SENT
-
OTP_WAITING_PASSWORD
-
OTP_NO_PASSWORD
-
OTP_PASSWORD_EXPIRED
-
OTP_WRONG_PASSWORD
-
OTP_TOO_MANY_REQUESTS
-
OTP_NO_EXPLICIT_RECIPIENT
- logon_process_id
32 symbol id
(required) Example: T3Hc3fwHIN4pyJ9gEBaWC416gKRTANQvID of the logon process
Do VOICE_OTP:1 method call: ¶
Body
{
"endpoint_session_id":"rBT79CAz8AWh1o920OrHumx32iaToCU9", (trusted endpoint required)
"mobile_phone": "+123456789"
}
Body
{
"otp": "3456"
}
Do VOICE_OTP:1 method call:POST/api/v1/logon_method/VOICE_OTP:1
VOICE_OTP:1 method steps:
- Send recipient mobile phone in request and check OTP
Do RADIUS:1 enroll: ¶
Body
{
"login_session_id": "rBT79CAz8AWh1o920OrHumx32iaToCU9"
}
Body
{
"reason": "",
"method_id": "RADIUS:1",
"status": "OK",
"msg": ""
}
Do RADIUS:1 enroll:POST/api/v1/enroll/{enroll_process_id}/do_enroll
RADIUS:1 enroll steps:
- Send request with fields bellow to do_enroll and check status
Request fields:
-
user_name (optional) - send to RADIUS instead of user.user_name
-
send_reponame (optional) - send ‘repository_name\peter’, not just ‘peter’
- enroll_process_id
string
(required) Example: JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVXID of the enroll process
Do RADIUS:1 logon: ¶
Body
{
"endpoint_session_id": "P7p3JJuenqo0SnyJ4HnbRbbJIqDhtt0u",
"response": {
"answer": "my-radius-password"
}
}
Body
{
"user_id": "4f34e2882991440ddd0fd515e0d0236c",
"completed_methods": [
"EMERG_PASSWORD:1"
],
"repo_id": "3c9c1fd8061e11e6b224080027983191",
"status": "OK",
"repo_obj_id": "3caa08a0061e11e6b224080027983191",
"event_data_id": "",
"logon_process_id": "jImh3267QFyZ9pXjSGPj5EIhpKKU8Xu9",
"user_name": "LOCAL\ADMIN",
"login_session_id": "TmPxkC98vF4FGhDvqedjXItbmGjVJYTD",
"plugins": [],
"event_name": "",
"chains": [
{
"name": "TEST CHAIN",
"position": 1000,
"id_hex": null,
"apply_for_ep_owner": false,
"required_chain_id_hex": null,
"methods": [
"ANY"
],
"short_name": "",
"image_name": "ANY.png",
"is_trusted": null,
"is_enabled": true,
"grace_period": null
}
],
"current_method": "EMERG_PASSWORD:1",
"msgid": "AUCORE-2001",
"msg": "Welcome!",
"data_id": ""
}
Do RADIUS:1 logon:POST/api/v1/logon/{logon_process_id}/do_logon
RADIUS:1 logon steps:
- Send password to do_logon and check status
Error reasons:
- RADIUS_WRONG_PASSWORD
- logon_process_id
32 symbol id
(required) Example: TTPeglOJxUZ3R8IV3e5vwUgUQACs8fBSID of the logon process
Do SECQUEST:1 enroll: ¶
Body
{
"login_session_id": "ySHjXQyPAH1dIXYeq3arbMQd7wyP3mMm"
}
Body
{
"msgid": "AUCORE-2046",
"method_id": "SECQUEST:1",
"reason": "SECQUEST_WAITING_ANSWERS",
"status": "MORE_DATA",
"msg": "Waiting for answers...",
"questions": {
"0": "question #0",
"1": "question #1",
"2": "question #2",
"3": "question #3",
"4": "question #4",
"5": "question #5",
"6": "question #6",
"7": "question #7",
"8": "question #8",
"9": "question #9"
}
}
Body
{
"response": {
"answers": {
"0": "answer #0",
"1": "answer #1",
"2": "answer #2",
"3": "answer #3",
"4": "answer #4",
"5": "answer #5",
"6": "answer #6",
"7": "answer #7",
"8": "answer #8",
"9": "answer #9"
}
},
"login_session_id": "ySHjXQyPAH1dIXYeq3arbMQd7wyP3mMm"
}
Body
{
"msg": "",
"method_id": "SECQUEST:1",
"reason": "",
"status": "OK"
}
Do SECQUEST:1 enroll:POST/api/v1/enroll/{enroll_process_id}/do_enroll
SECQUEST:1 enroll steps:
-
Send empty request to do_enroll to receive questions
-
Send answers to do_enroll and check status
Error reasons:
- SECQUEST_WAITING_ANSWERS
- enroll_process_id
string
(required) Example: JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVXID of the enroll process
Do SECQUEST:1 logon: ¶
Body
{
"endpoint_session_id": "peSWzJrCY3BH10TaP6nRrZiQy8ahauIt"
}
Body
{
"status": "MORE_DATA",
"plugins": [],
"event_name": "",
"chains": [
{
"apply_for_ep_owner": false,
"is_trusted": null,
"image_name": "ANY.png",
"short_name": "",
"id_hex": null,
"position": 1000,
"grace_period": null,
"is_enabled": true,
"methods": [
"ANY"
],
"required_chain_id_hex": null,
"name": "TEST CHAIN"
}
],
"reason": "SECQUEST_WAITING_ANSWERS",
"method_id": "SECQUEST:1",
"questions": {
"1": "question #1",
"2": "question #2",
"3": "question #3",
"4": "question #4",
"7": "question #7"
},
"msg": "Waiting for answers...",
"event_data_id": "",
"msgid": "AUCORE-2046",
"completed_methods": [],
"logon_process_id": "2rMurbLwdVVmL4MZYnaJQdh1RWV7ekDx",
"current_method": "SECQUEST:1"
}
Body
{
"response": {
"answers": {
"1": "answer #1",
"2": "answer #2",
"3": "answer #3",
"4": "answer #4",
"7": "answer #7"
}
},
"endpoint_session_id": "peSWzJrCY3BH10TaP6nRrZiQy8ahauIt"
}
Body
{
"user_name": "LOCAL\ADMIN",
"plugins": [],
"logon_process_id": "2rMurbLwdVVmL4MZYnaJQdh1RWV7ekDx",
"user_id": "bdb2b894ce176333bf70a35f1f961126",
"msgid": "AUCORE-2001",
"repo_obj_id": "46dfef2c0c7411e687c1080027983191",
"status": "OK",
"event_data_id": "",
"event_name": "",
"msg": "Welcome!",
"current_method": "SECQUEST:1",
"chains": [
{
"apply_for_ep_owner": false,
"is_trusted": null,
"image_name": "ANY.png",
"short_name": "",
"id_hex": null,
"position": 1000,
"grace_period": null,
"is_enabled": true,
"methods": ["ANY"],
"required_chain_id_hex": null,
"name": "TEST CHAIN"
}
],
"login_session_id": "doB7cTIWcAaE5tAIar6VnPPnKKf5wHdN",
"repo_id": "46dac56a0c7411e687c1080027983191",
"data_id": "",
"completed_methods": ["SECQUEST:1"]
}
Do SECQUEST:1 logon:POST/api/v1/logon/{logon_process_id}/do_logon
SECQUEST:1 logon steps:
-
Send empty request to do_logon to receive questions
-
Send answers to do_logon and check status
Error reasons:
-
SECQUEST_WRONG_ANSWERS
-
SECQUEST_WAITING_ANSWERS
- logon_process_id
32 symbol id
(required) Example: 2rMurbLwdVVmL4MZYnaJQdh1RWV7ekDxID of the logon process
Do U2F:1 enroll: ¶
Body
{
"response": {
"userName": "user1"
},
"login_session_id": "xTIskntGShVlNfkAUiaZUXE7BR3xToue"
}
Body
{
"signRequests": [],
"registerRequests": [
{
"version": "U2F_V2",
"appId": "https://demo.yubico.com",
"challenge": "2MSDiW84JXiIfSpUd72XebgBujs2WOA-UmuWzpyUQsk"
}
],
"method_id": "U2F:1",
"msgid": "AUCORE-3004",
"reason": "U2F_WAITING_REG_RESPONSE",
"status": "MORE_DATA",
"msg": "Waiting register response"
}
Body
{
"response": {
"registerResponse": {
"registrationData": "BQQ_jNAqemWkTfI9uL4CVo3eQSNIMe66u-pasr8BMuu9maA764C7jDPqXMUWhw8_4tDxeUbM72VJH5fssT6F2vT5QKheRH3Tk0hCuJD94ZRHf0Nkg-JDmLOivamSUeVXvRJaBLOp7N-hhxvoxlChQ-CSzMDqrC7EZ7IqWvl7Ac3xejswggIcMIIBBqADAgECAgRyWMLqMAsGCSqGSIb3DQEBCzAuMSwwKgYDVQQDEyNZdWJpY28gVTJGIFJvb3QgQ0EgU2VyaWFsIDQ1NzIwMDYzMTAgFw0xNDA4MDEwMDAwMDBaGA8yMDUwMDkwNDAwMDAwMFowKzEpMCcGA1UEAwwgWXViaWNvIFUyRiBFRSBTZXJpYWwgMTQ4MDMzMjE1NzgwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASisDmTIlQxnUH6SFTVfKGN62nMmz5Nga45nzI-gRZDme8qlRRnPRV87L-18LzHiQhT7lXPPxogZvTVE5uTizELoxIwEDAOBgorBgEEAYLECgECBAAwCwYJKoZIhvcNAQELA4IBAQG8zBr5C3uVeBjVVaQzcWpgFqztyzEyw0EPNmFkEGwj2SqwbF0cLLaSmtQhSKoqOvOuU4k6aqFAyukyZZMVPZKqAP0Vh0sCMpRMzpDvEZjO3v6gh5Z8bIDmtQAJ5B2nnILyVpc7DA7taj3dUrZzNMD8v-bYjKdTsZJ_QzQstsewIPkoFOIRRtqta0iwkEFiX_cwR11IF-USGcQHKUBoMX65JP9nY6DzQ3XHplOD3bHUOHsCi2MqBZU-1fKOrQJpNP0w8cBQpSk_hsVTm7UiGW_FGrxrIKXfpGfCGICKDxCMfuWKIshu0HjP0pEhowAX1Ls1pie2SoK3-VEhYtkOFRLqMEUCIFnX5ZcO8ZWOKyF6R-tAse3rYdzwFBq4LZzEeXUwn6oMAiEAwNuC4mkjobmeyilaLM4twOAicm-R_x_YKzcQcXIx5cU",
"clientData": "eyJ0eXAiOiJuYXZpZ2F0b3IuaWQuZmluaXNoRW5yb2xsbWVudCIsImNoYWxsZW5nZSI6IjFNX2hrbkxka0Ixb1hySFQxWUZqSHA5NDRpT2w4N2kwd1B5UUV0MW5DYzQiLCJvcmlnaW4iOiJodHRwczovL2RlbW8ueXViaWNvLmNvbSIsImNpZF9wdWJrZXkiOiIifQ"
}
},
"login_session_id": "xTIskntGShVlNfkAUiaZUXE7BR3xToue"
}
Body
{
"reason": "",
"status": "OK",
"method_id": "U2F:1",
"msg": "Enrollment complete",
"msgid": "AUCORE-3001"
}
Do U2F:1 enroll:POST/api/v1/enroll/{enroll_process_id}/do_enroll
U2F:1 enroll steps:
-
Ask server for registerRequests by sending empty request to do_enroll
-
Forward registerRequests and signRequests to JSAPI, get registerResponse and forward to server to do_enroll
-
Check status of received response
Error reasons:
-
U2F_WAITING_REG_RESPONSE
-
U2F_NOT_ATTESTED
U2F AP uses camelCasing for parameters. Chrome JS-API (u2f.js) uses this scheme. You simply forward objects such as SignRequest to/from AP and JS-API.
How to build APPID from inside browser:
function getOriginFromUrl(url) { var re = new RegExp(’^(https?😕/)[^/]*/?’); var originarray = re.exec(url); if (originarray == null) return originarray; var origin = originarray[0]; while (origin.charAt(origin.length - 1) == ‘/’) { origin = origin.substring(0, origin.length - 1); } if (origin == ‘http:’ || origin == ‘https:’) return null; return origin; }
var appId = getOriginFromUrl(window.location);
- enroll_process_id
string
(required) Example: JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVXID of the enroll process
Do U2F:1 logon: ¶
Body
{
"endpoint_session_id": "4CkX5jecFnGrv4wIoP83ADpVORjk7zqZ"
}
Body
{
"logon_process_id": "tvV9a4UNEf71yvZDxwJQ179SJnHQndmT",
"current_method": "U2F:1",
"reason": "U2F_WAITING_AUTH_RESPONSE",
"event_data_id": "",
"msgid": "AUCORE-2059",
"plugins": [],
"signRequests": [
{
"appId": "https://demo.yubico.com",
"keyHandle": "qF5EfdOTSEK4kP3hlEd_Q2SD4kOYs6K9qZJR5Ve9EloEs6ns36GHG-jGUKFD4JLMwOqsLsRnsipa-XsBzfF6Ow",
"version": "U2F_V2",
"challenge": "NGX54sR5bgHSSJVs7ijQaMi_vV-lz48UqWW-XTlHgX4"
}
],
"event_name": "TEST",
"msg": "Waiting for an authentication response",
"chains": [
{
"short_name": "",
"required_chain_id_hex": null,
"position": 0,
"is_enabled": true,
"methods": [
"U2F:1"
],
"image_name": "U2F_1.png",
"grace_period": null,
"name": "Test-chain",
"id_hex": "42b312980c8911e69140080027983191",
"apply_for_ep_owner": false,
"is_trusted": null
}
],
"completed_methods": [],
"status": "MORE_DATA"
}
Body
{
"response": {
"signResponse": {
"keyHandle": "qF5EfdOTSEK4kP3hlEd_Q2SD4kOYs6K9qZJR5Ve9EloEs6ns36GHG-jGUKFD4JLMwOqsLsRnsipa-XsBzfF6Ow",
"signatureData": "AQAAAKowRAIgFrmzsrUHiUw2ixt20cXLjBRDo7-UoqWqZlNsFcXZL4ECIH45ALRE86ijsKPv_r3zmzhoE34N3NqzgvRJ1f49C1UA",
"clientData": "eyJ0eXAiOiJuYXZpZ2F0b3IuaWQuZ2V0QXNzZXJ0aW9uIiwiY2hhbGxlbmdlIjoiZXYwd3dLR3l5bV9YamdZZkExd2tNT3Y4bGpsOHphS0F5WGdBV3gyUW91OCIsIm9yaWdpbiI6Imh0dHBzOi8vZGVtby55dWJpY28uY29tIiwiY2lkX3B1YmtleSI6IiJ9"
}
},
"endpoint_session_id": "4CkX5jecFnGrv4wIoP83ADpVORjk7zqZ"
}
Body
{
"data_id": "",
"logon_process_id": "tvV9a4UNEf71yvZDxwJQ179SJnHQndmT",
"current_method": "U2F:1",
"event_data_id": "",
"user_id": "3a76753d7f931751c79fa05d80eb058e",
"repo_id": "42987aa00c8911e69140080027983191",
"msgid": "AUCORE-2001",
"plugins": [],
"repo_obj_id": "42a3962e0c8911e69140080027983191",
"event_name": "TEST",
"msg": "Welcome!",
"chains": [
{
"short_name": "",
"required_chain_id_hex": null,
"position": 0,
"is_enabled": true,
"methods": ["U2F:1"],
"image_name": "U2F_1.png",
"grace_period": null,
"name": "Test-chain",
"id_hex": "42b312980c8911e69140080027983191",
"apply_for_ep_owner": false,
"is_trusted": null
}
],
"user_name": "LOCAL\USER1",
"completed_methods": ["U2F:1"],
"status": "OK",
"login_session_id": "Cga6cvaMTaMTaDp5TLZHPOet29O808VL"
}
Do U2F:1 logon:POST/api/v1/logon/{logon_process_id}/do_logon
U2F:1 logon steps:
-
Send empty request to do_logon to ask server for signRequests
-
Forward signRequests to JSAPI, get signResponse, send it to do_logon and check status
Error reasons:
-
U2F_ALL_TOKENS_COMPROMISED
-
U2F_NO_TOKENS
-
U2F_WAITING_AUTH_RESPONSE
- logon_process_id
32 symbol id
(required) Example: tvV9a4UNEf71yvZDxwJQ179SJnHQndmTID of the logon process
Do SMARTPHONE:1 enroll: ¶
Body
{
"login_session_id": "KOYxcRUuuZxDsEhxiycof4XwcuI2lbwk"
}
Body
{
"msg": "Scan this QR code with the smartphone application",
"msgid": "AUCORE-3003",
"qrdata": "OOBDATAJgBFHPokfqPOxbVzvKrj61GcZDkHeYd0AWYT9x3qQ0ihO9rRktvpqmnyPdlP5efN/FgLhl5D03bU9NJ6OwnxfODK9p5VHXpKqRYfKJhS/hSL7E4weFC4iGP1M1a9DTKfiRN4/A6XprEbkAQceOZMGDdkzmsh7dUus+0owd3FwBnG7jkkfCAQ1rSeI5P1HFMuPsBCdOUFRbMv3Ju8kXLIQRNrHiotksOCtF2vh1ALN3S4fXoPfpC8Nu13uV3ZU7vU+RL5FuexRktRm3dnoDnT1WrTerDXGVRn3T6Ghlg9UkyxswtW1Ipu8N+7OWIT/4PlQ62mj1xGG2otpPE6qCpWPg==",
"status": "MORE_DATA",
"reason": "SMARTPHONE_SCAN_QR",
"method_id": "SMARTPHONE:1"
}
Body
{
"login_session_id": "KOYxcRUuuZxDsEhxiycof4XwcuI2lbwk"
}
Body
{
"msg": "",
"reason": "",
"status": "OK",
"method_id": "SMARTPHONE:1"
}
Do SMARTPHONE:1 enroll:POST/api/v1/enroll/{enroll_process_id}/do_enroll
SMARTPHONE:1 enroll steps:
-
Send empty request do_enroll to get QA code and check status. User should scan this QR code by application
-
To check status of enroll application should send empty request to do_enroll until status will not changed for failed or successful.
Error reasons:
-
SMARTPHONE_ENROLL_TIMEOUT
-
SMARTPHONE_WAITING_DATA
-
SMARTPHONE_SCAN_QR
-
SMARTPHONE_WRONG_V4_TEMPLATE
- enroll_process_id
string
(required) Example: JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVXID of the enroll process
Do SMARTPHONE:1 logon online: ¶
Body
{
"endpoint_session_id": "MDG133vYLaZIBuSvHFF5LfZtSApQHkaQ"
}
Body
{
"reason": "SMARTPHONE_WAITING_DATA",
"msgid": "AUCORE-2056",
"msg": "Waiting for smartphone data...",
"chains": [
{
"id_hex": null,
"is_enabled": true,
"short_name": "",
"grace_period": null,
"image_name": "ANY.png",
"is_trusted": null,
"name": "TEST CHAIN",
"methods": [
"ANY"
],
"apply_for_ep_owner": false,
"position": 1000,
"required_chain_id_hex": null
}
],
"current_method": "SMARTPHONE:1",
"status": "MORE_DATA",
"logon_process_id": "6MwzQQ2AKGtTW0q0q2VEQ3tIs0Y6Py0n",
"event_name": "",
"completed_methods": [],
"event_data_id": "",
"plugins": [],
"method_id": "SMARTPHONE:1"
}
Body
{
"endpoint_session_id": "MDG133vYLaZIBuSvHFF5LfZtSApQHkaQ"
}
Body
{
"user_name": "LOCAL\AG",
"msgid": "AUCORE-2053",
"status": "OK",
"repo_id": "8c4749d20c7111e69e17080027983191",
"chains": [
{
"id_hex": null,
"is_enabled": true,
"short_name": "",
"grace_period": null,
"image_name": "ANY.png",
"is_trusted": null,
"name": "TEST CHAIN",
"methods": ["ANY"],
"apply_for_ep_owner": false,
"position": 1000,
"required_chain_id_hex": null
}
],
"current_method": "SMARTPHONE:1",
"repo_obj_id": "8c4d1b500c7111e69e17080027983191",
"msg": "Auth accepted",
"user_id": "187e62bd172488bea921e47ea2be0e7e",
"login_session_id": "qeDTAoC66hrMIl28xfnfeGbUpNn8nJXR",
"logon_process_id": "6MwzQQ2AKGtTW0q0q2VEQ3tIs0Y6Py0n",
"event_name": "",
"completed_methods": ["SMARTPHONE:1"],
"event_data_id": "",
"data_id": "",
"plugins": [],
"method_id": "SMARTPHONE:1"
}
Body
{
"endpoint_session_id": "MDG133vYLaZIBuSvHFF5LfZtSApQHkaQ"
}
Body
{
"event_name": "",
"current_method": "SMARTPHONE:1",
"status": "FAILED",
"reason": "SMARTPHONE_AUTH_REJECTED",
"method_id": "SMARTPHONE:1",
"completed_methods": [],
"msg": "Auth rejected",
"plugins": [],
"msgid": "AUCORE-2054",
"chains": [
{
"grace_period": null,
"image_name": "ANY.png",
"position": 1000,
"apply_for_ep_owner": false,
"id_hex": null,
"short_name": "",
"is_trusted": null,
"methods": [
"ANY"
],
"is_enabled": true,
"required_chain_id_hex": null,
"name": "TEST CHAIN"
}
],
"logon_process_id": "3VXhH6liboHcD35uweditS3MGoLJxQVo",
"event_data_id": ""
}
Do SMARTPHONE:1 logon online:POST/api/v1/logon/{logon_process_id}/do_logon
SMARTPHONE:1 Online mode logon steps:
-
Send empty request to do_logon to send push notification to smartphone. User should receive push message and he can approve or reject it.
-
To check status of logon application should send empty request to do_logon until status will not changed for failed or successful.
Error reasons:
-
SMARTPHONE_SAME_TOTP
-
SMARTPHONE_WRONG_TOTP
-
SMARTPHONE_AUTH_CONFIRM_TIMEOUT
-
SMARTPHONE_AUTH_REJECTED
-
SMARTPHONE_LOGON_IN_PROGRESS
-
SMARTPHONE_WAITING_DATA
-
SMARTPHONE_NO_LOCATION
-
SMARTPHONE_INCORRECT_LOCATION
-
SMARTPHONE_TOTP_LOGON_DISABLED
- logon_process_id
32 symbol id
(required) Example: 6MwzQQ2AKGtTW0q0q2VEQ3tIs0Y6Py0nID of the logon process
Do SMARTPHONE:1 logon offline: ¶
Body
{
"endpoint_session_id": "oxBLoOk1WyIvAcuUv5xIENMgSoya1K0j",
"response": {
"totp": "053226"
}
}
Body
{
"user_name": "LOCAL\AG",
"msgid": "AUCORE-2001",
"status": "OK",
"repo_id": "bf6508400c7111e69e17080027983191",
"chains": [
{
"id_hex": null,
"is_enabled": true,
"short_name": "",
"grace_period": null,
"image_name": "ANY.png",
"is_trusted": null,
"name": "TEST CHAIN",
"methods": ["ANY"],
"apply_for_ep_owner": false,
"position": 1000,
"required_chain_id_hex": null
}
],
"current_method": "SMARTPHONE:1",
"repo_obj_id": "bf6d48340c7111e69e17080027983191",
"msg": "Welcome!",
"user_id": "0524d36a32ced8ac9044fb62f79f60e5",
"login_session_id": "sUne8w7x4E2VMifobJcxxoobdudkq9Sp",
"logon_process_id": "X7F93FOgKJVoVBg7kgRgdTtc0UKAN2Tm",
"event_name": "",
"completed_methods": ["SMARTPHONE:1"],
"event_data_id": "",
"data_id": "",
"plugins": []
}
Body
{
"endpoint_session_id": "oxBLoOk1WyIvAcuUv5xIENMgSoya1K0j",
"response": {
"totp": "053229"
}
}
Body
{
"msg": "Wrong TOTP password",
"event_name": "",
"msgid": "AUCORE-2028",
"reason": "SMARTPHONE_WRONG_TOTP",
"current_method": "SMARTPHONE:1",
"chains": [
{
"grace_period": null,
"image_name": "ANY.png",
"position": 1000,
"apply_for_ep_owner": false,
"id_hex": null,
"short_name": "",
"is_trusted": null,
"methods": [
"ANY"
],
"is_enabled": true,
"required_chain_id_hex": null,
"name": "TEST CHAIN"
}
],
"status": "FAILED",
"plugins": [],
"logon_process_id": "nJERAkt5172RyPdJWuenkyjZHVKG2NR0",
"event_data_id": "",
"completed_methods": []
}
Do SMARTPHONE:1 logon offline:POST/api/v1/logon/{logon_process_id}/do_logon
SMARTPHONE:1 Offline mode logon steps:
- Send request with totp password from smartphone to do_logon and check status
Error reasons:
-
SMARTPHONE_SAME_TOTP
-
SMARTPHONE_WRONG_TOTP
-
SMARTPHONE_AUTH_CONFIRM_TIMEOUT
-
SMARTPHONE_AUTH_REJECTED
-
SMARTPHONE_LOGON_IN_PROGRESS
-
SMARTPHONE_WAITING_DATA
-
SMARTPHONE_NO_LOCATION
-
SMARTPHONE_INCORRECT_LOCATION
-
SMARTPHONE_TOTP_LOGON_DISABLED
- logon_process_id
32 symbol id
(required) Example: X7F93FOgKJVoVBg7kgRgdTtc0UKAN2TmID of the logon process
Do VOICE:1 enroll: ¶
Body
{
"response": {
"pin": "12345"
},
"login_session_id": "iKsplIEBS8lrfhMCr08uyZEtaWRff9s4"
}
Body
{
"status": "OK",
"reason": "",
"msg": "",
"method_id": "VOICE:1"
}
Do VOICE:1 enroll:POST/api/v1/enroll/{enroll_process_id}/do_enroll
VOICE:1 enroll steps:
- Send request with pin to do_enroll and check status
- enroll_process_id
string
(required) Example: JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVXID of the enroll process
Do VOICE:1 logon: ¶
Body
{
"endpoint_session_id": "vqRVxFg79DEHCAJjoe0nJNBSMoibCZa9"
}
Body
{
"status": "MORE_DATA",
"plugins": [],
"msg": "Call initiated",
"current_method": "VOICE:1",
"completed_methods": [],
"chains": [
{
"is_enabled": true,
"apply_for_ep_owner": false,
"is_trusted": null,
"name": "TEST CHAIN",
"position": 1000,
"id_hex": null,
"required_chain_id_hex": null,
"image_name": "ANY.png",
"grace_period": null,
"short_name": "",
"methods": [
"ANY"
]
}
],
"reason": "VOICE_CALL_INITIATED",
"msgid": "AUCORE-2077",
"event_data_id": "",
"event_name": "",
"logon_process_id": "F1iJ4albUW81CqFzdZXekgdyPyB43YbY"
}
Body
{
"endpoint_session_id": "vqRVxFg79DEHCAJjoe0nJNBSMoibCZa9"
}
Body
{
"status": "MORE_DATA",
"plugins": [],
"msg": "Call in progress",
"current_method": "VOICE:1",
"completed_methods": [],
"chains": [
{
"is_enabled": true,
"apply_for_ep_owner": false,
"is_trusted": null,
"name": "TEST CHAIN",
"position": 1000,
"id_hex": null,
"required_chain_id_hex": null,
"image_name": "ANY.png",
"grace_period": null,
"short_name": "",
"methods": [
"ANY"
]
}
],
"reason": "VOICE_CALL_IN_PROGRESS",
"msgid": "AUCORE-2073",
"event_data_id": "",
"event_name": "",
"logon_process_id": "F1iJ4albUW81CqFzdZXekgdyPyB43YbY"
}
Body
{
"endpoint_session_id": "vqRVxFg79DEHCAJjoe0nJNBSMoibCZa9"
}
Body
{
"user_name": "LOCAL\AG",
"msgid": "AUCORE-2001",
"status": "OK",
"repo_id": "bf6508400c7111e69e17080027983191",
"chains": [
{
"id_hex": null,
"is_enabled": true,
"short_name": "",
"grace_period": null,
"image_name": "ANY.png",
"is_trusted": null,
"name": "TEST CHAIN",
"methods": ["ANY"],
"apply_for_ep_owner": false,
"position": 1000,
"required_chain_id_hex": null
}
],
"current_method": "VOICE:1",
"repo_obj_id": "bf6d48340c7111e69e17080027983191",
"msg": "Welcome!",
"user_id": "0524d36a32ced8ac9044fb62f79f60e5",
"login_session_id": "sUne8w7x4E2VMifobJcxxoobdudkq9Sp",
"logon_process_id": "F1iJ4albUW81CqFzdZXekgdyPyB43YbY",
"event_name": "",
"completed_methods": ["VOICE:1"],
"event_data_id": "",
"data_id": "",
"plugins": []
}
Do VOICE:1 logon:POST/api/v1/logon/{logon_process_id}/do_logon
VOICE:1 logon steps:
-
Send empty request to do_logon to make a call to user. User should receive call and enter pin from it.
-
To check status of logon application should send empty request to do_logon until status will not changed for failed or successful.
Error reasons:
-
VOICE_PIN_NOT_VERIFIED
-
VOICE_CALL_IN_PROGRESS
-
VOICE_PIN_EXPIRED
-
VOICE_CANNOT_CALL
-
VOICE_CALL_INITIATED
- logon_process_id
32 symbol id
(required) Example: F1iJ4albUW81CqFzdZXekgdyPyB43YbYID of the logon process
Do CARD:1 enroll: ¶
Body
{
"response": {
"card_cert": "308205243082040ca00302010202100e62f26..................a5883aa073b4588",
"card_uid": "0e62f260aa610be177ba6c5d052ef002"
},
"login_session_id": "KOYxcRUuuZxDsEhxiycof4XwcuI2lbwk"
}
Body
{
"method_id": "CARD:1",
"status": "OK",
"reason": "",
"msg": "Enrollment complete",
"msgid": "AUCORE-3001"
}
Do CARD:1 enroll:POST/api/v1/enroll/{enroll_process_id}/do_enroll
Store card UID and validate card certificate (for PKI-cards)
Now only support contactless cards (UID).
CARD:1 enroll steps:
- Send request with card certificate and card uid to do_enroll and check status
- enroll_process_id
string
(required) Example: JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVXID of the enroll process
Do CARD:1 logon: ¶
Body
{
"endpoint_session_id": "MDG133vYLaZIBuSvHFF5LfZtSApQHkaQ",
"response": {
"card_uid": "0e62f260aa610be177ba6c5d052ef002",
"card_cert": "308205243082040ca003...64a5883aa073b4588"
}
}
Body
{
"plugins": [],
"msg": "Welcome!",
"status": "OK",
"logon_process_id": "R94moMSOwAekT28PMCbSnuK8UJq0AxlP",
"event_name": "TEST",
"chains": [
{
"short_name": "",
"apply_for_ep_owner": false,
"image_name": "CARD_1.png",
"grace_period": null,
"methods": ["CARD:1"],
"position": 0,
"id_hex": "54e35a080c8a11e6b5cd080027983191",
"is_trusted": null,
"name": "Test-chain",
"required_chain_id_hex": null,
"is_enabled": true
}
],
"event_data_id": "",
"repo_id": "54d11b360c8a11e6b5cd080027983191",
"user_id": "ba94bcf442f0c148fc6a049c9470d1dd",
"completed_methods": ["CARD:1"],
"repo_obj_id": "54d6890e0c8a11e6b5cd080027983191",
"login_session_id": "htNJc4zJq0DvtMR3jxqQXRzDKqdSB7vu",
"data_id": "",
"current_method": "CARD:1",
"msgid": "AUCORE-2001",
"user_name": "LOCAL\USER1"
}
Do CARD:1 logon:POST/api/v1/logon/{logon_process_id}/do_logon
CARD:1 logon steps:
- Send Smartcard UID and card certificate (for PKI-cards) to do_logon and check status
Now only support contactless cards (UID) and certificate-based (PKI) cards. This method supports 1-N logon, you can define card UID in ‘unit_id’ parameter instead of user_name. Yes, you send card_uid twice. Second one is needed for not 1-N logon scenarios, card AP is not first method of the chain. Non 1-N logon is also supported.
- logon_process_id
32 symbol id
(required) Example: R94moMSOwAekT28PMCbSnuK8UJq0AxlPID of the logon process
Do PKI:1 enroll: ¶
Body
{
"response": {
"card_uid": "1",
"modulus": "bd77dc79a02acda19a9ec6099cd4a........0da58c9ef04a1e2655aac84f23",
"certificate": null,
"exponent": "10001"
},
"login_session_id": "IxJq1C5Gt6VxGeF65YjKl5R99Q70Lf9H"
}
Body
{
"msgid": "AUCORE-3001",
"reason": "",
"msg": "Enrollment complete",
"status": "OK",
"method_id": "PKI:1"
}
Do PKI:1 enroll:POST/api/v1/enroll/{enroll_process_id}/do_enroll
PKI:1 enroll steps:
- Send request with a public key in modulus+exponent format or a certificate in DER format to do_enroll and check status
Error reasons:
- PKI_CERT_VALIDATION_FAILED
- enroll_process_id
string
(required) Example: JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVXID of the enroll process
Do PKI:1 logon: ¶
Body
{
"endpoint_session_id": "P7p3JJuenqo0SnyJ4HnbRbbJIqDhtt0u",
"response": {}
}
Body
{ "chains": [ { "image_name": "default",
"is_enabled": True,
"is_trusted": None,
"methods": ["PKI:1"],
"name": "Test-chain",
"position": 0,
"short_name": ""}],
"completed_methods": [],
"current_method": "PKI:1",
"event_data_id": "",
"event_name": "TEST",
"logon_process_id": "kytfmodEy4QmcMKgEb9cuGpLpNv9ooYp",
"msg": "Waiting for an authentication signature",
"plugins": [],
"challenge": "f81e9d6882aca80cbe97e291ee5771aba7cc13facb3c79a5ae924e788bc4f7d2",
"keypair_id": "6f4712e554544ac3",
"subject": "76b3af3dd66649e896b56b51d46cfe93037a793c961ca35586c485d130375e2f",
"reason": "PKI_WAITING_AUTH_SIGN",
"status": "MORE_DATA"
}
Body
{
"endpoint_session_id": "P7p3JJuenqo0SnyJ4HnbRbbJIqDhtt0u",
"response": {
"signature": "58ad84f3a9b7244031aa55c0d....42d123bdb715a153974e992b16d022",
"padding": "PKCS#1",
"hash": "SHA1"
}
}
Body
{ "repo_obj_id": "6104a6ce424b11e5b7ebdc85de0b0889",
"repo_id": "6104a6c5424b11e5b7ebdc85de0b0889",
"logon_process_id": "kytfmodEy4QmcMKgEb9cuGpLpNv9ooYp",
"status": "OK",
"plugins": [],
"msg": "Welcome!",
"current_method": "PKI:1",
"completed_methods": ["PKI:1"],
"chains": [{ "methods": ["ANY"],
"image_name": "default",
"short_name": "",
"position": 1000,
"is_enabled": true,
"is_trusted": null,
"name": "TEST CHAIN"}],
"event_data_id": "",
"user_id": "6104a6cf424b11e5b7ebdc85de0b0889",
"user_name": "LOCAL\ADMIN",
"login_session_id": "DirIO8s41TbT1lm7Dh5BNfK6gRTHhXTl",
"data_id": "",
"event_name": "TEST"
}
Do PKI:1 logon:POST/api/v1/logon/{logon_process_id}/do_logon
PKI:1 logon steps:
-
Ask server for a challenge by sending empty request to do_logon
-
Sign the given challenge on card or token and send it to do_logon and check status
Error reasons:
-
PKI_WAITING_AUTH_SIGN
-
PKI_SIGN_VERIFICATION_FAILED
-
PKI_CERT_VALIDATION_FAILED
-
PKI_WRONG_CARD
- logon_process_id
32 symbol id
(required) Example: kytfmodEy4QmcMKgEb9cuGpLpNv9ooYpID of the logon process
Do FINGER:1 enroll: ¶
Body
{
"response": {
"captures": [
{
"Finger": 1,
"Image": {
"BitsPerPixel": 8,
"BytesPerLine": 300,
"Dpi": 500,
"Height": 300,
"Width": 300,
"captureStatus": "Ok",
"Image": "<image content>"
}
},
{
"Finger": 1,
"Image": {
"BitsPerPixel": 8,
"BytesPerLine": 300,
"Dpi": 500,
"Height": 300,
"Width": 300,
"captureStatus": "Ok",
"Image": "<image content>"
}
}
]
},
"login_session_id": "IxJq1C5Gt6VxGeF65YjKl5R99Q70Lf9H"
}
Body
{
"msgid": "AUCORE-3001",
"reason": "",
"msg": "Enrollment complete",
"status": "OK",
"method_id": "FINGER:1"
}
Body
{
"response": {
"iso": true,
"captures": [
{
"Finger": 1,
"Image": {
"ISO": "<iso finger capture template>",
"captureStatus": "OK"
}
},
{
"Finger": 1,
"Image": {
"ISO": "<iso finger capture template>",
"captureStatus": "OK"
}
}
]
},
"login_session_id": "IxJq1C5Gt6VxGeF65YjKl5R99Q70Lf9H"
}
Body
{
"msgid": "AUCORE-3001",
"reason": "",
"msg": "Enrollment complete",
"status": "OK",
"method_id": "FINGER:1"
}
Do FINGER:1 enroll:POST/api/v1/enroll/{enroll_process_id}/do_enroll
FINGER:1 enroll steps:
- Send request to do_enroll with finger images
Fields description: Finger: 1 , where 1 is finger id from ids bellow
Finger ids:
-
ANY_FINGER = 0
-
RIGHT_THUMB = 1
-
LEFT_THUMB = 2
-
RIGHT_INDEX = 3
-
LEFT_INDEX = 4
-
RIGHT_MIDDLE = 5
-
LEFT_MIDDLE = 6
-
RIGHT_RING = 7
-
LEFT_RING = 8
-
RIGHT_LITTLE = 9
-
LEFT_LITTLE = 10
Image content format:
-
BitsPerPixel, integer, bits per pixel, support only 8 bits now
-
BytesPerLine, integer, count of bytes per one row
-
Width , integer, length of row in pixels
-
Height, integer, pixel row’s count
-
Dpi, integer, is not used now
-
Image, string, base64 encoded string with bytes
-
captureStatus, string, result of capturing
Template content format:
-
ISO: string, base64 encoded string with iso content
-
captureStatus, string, result of capturing
Error reasons:
-
INCORRECT_FINGERS_COUNT
-
INCORRECT_CAPTURES_COUNT_PER_FINGER
UI uses Device Service by calling this url: https://127.0.0.1:8442/api/v1/fingerprint/capture It should return json with captured fingerpring. Device Service returns capture in ISO or image format. Type of response is depended on sensor type. So if device service returns ISO send ISO as response or image if device service returns image.
- enroll_process_id
string
(required) Example: JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVXID of the enroll process
Do FINGER:1 logon: ¶
Body
{
"endpoint_session_id": "P7p3JJuenqo0SnyJ4HnbRbbJIqDhtt0u",
"response": {
"capture": {
"BitsPerPixel": 8,
"BytesPerLine": 300,
"Dpi": 500,
"Height": 300,
"Width": 300,
"captureStatus": "Ok",
"Image": "<image content>"
}
}
}
Body
{
"event_data_id": "",
"msgid": "AUCORE-2001",
"logon_process_id": "kytfmodEy4QmcMKgEb9cuGpLpNv9ooYp",
"login_session_id": "iCFCUvGVK9zlDQtWa018UWKUwuNHEYcn",
"current_method": "FINGER:1",
"chains": [
{
"position": 1000,
"short_name": "",
"grace_period": null,
"methods": [
"FINGER:1"
],
"is_enabled": true,
"name": "TEST CHAIN",
"id_hex": null,
"required_chain_id_hex": null,
"is_trusted": null,
"apply_for_ep_owner": false,
"image_name": "FINGER_1.png"
}
],
"repo_obj_id": "c0fd1ab20b0e11e6b224080027983191",
"plugins": [],
"msg": "Welcome!",
"status": "OK",
"user_id": "84a0a279d391de4b2fd70ea38b46d3ce",
"data_id": "",
"event_name": "",
"repo_id": "c0eeb0ee0b0e11e6b224080027983191",
"completed_methods": [
"FINGER:1"
],
"user_name": "LOCAL\ADMIN"
}
Headers
Content-Type: application/json
Body
{
"endpoint_session_id": "P7p3JJuenqo0SnyJ4HnbRbbJIqDhtt0u",
"response": {
"capture": {
"ISO": "<finger capture's iso template>",
"captureStatus": "OK"
}
}
}
Body
{
"event_data_id": "",
"msgid": "AUCORE-2001",
"logon_process_id": "kytfmodEy4QmcMKgEb9cuGpLpNv9ooYp",
"login_session_id": "iCFCUvGVK9zlDQtWa018UWKUwuNHEYcn",
"current_method": "FINGER:1",
"chains": [
{
"position": 1000,
"short_name": "",
"grace_period": null,
"methods": [
"FINGER:1"
],
"is_enabled": true,
"name": "TEST CHAIN",
"id_hex": null,
"required_chain_id_hex": null,
"is_trusted": null,
"apply_for_ep_owner": false,
"image_name": "FINGER_1.png"
}
],
"repo_obj_id": "c0fd1ab20b0e11e6b224080027983191",
"plugins": [],
"msg": "Welcome!",
"status": "OK",
"user_id": "84a0a279d391de4b2fd70ea38b46d3ce",
"data_id": "",
"event_name": "",
"repo_id": "c0eeb0ee0b0e11e6b224080027983191",
"completed_methods": [
"FINGER:1"
],
"user_name": "LOCAL\ADMIN"
}
Do FINGER:1 logon:POST/api/v1/logon/{logon_process_id}/do_logon
FINGER:1 logon steps:
- Send to server finger capture or finger capture’s iso template
Image content format:
-
BitsPerPixel, integer, bits per pixel, support only 8 bits now
-
BytesPerLine, integer, count of bytes per one row
-
Width , integer, length of row in pixels
-
Height, integer, pixel row’s count
-
Dpi, integer, is not used now
-
Image, string, base64 encoded string with bytes
-
captureStatus, string, result of capturing
Template content format:
-
ISO: string, base64 encoded string with iso content
-
captureStatus, string, result of capturing
UI uses Device Service by calling this url: https://127.0.0.1:8442/api/v1/fingerprint/capture It should return json with captured fingerpring. Device Service returns capture in ISO or image format. Type of response is depended on sensor type. So if device service returns ISO send ISO as response or image if device service returns image.
- logon_process_id
32 symbol id
(required) Example: kytfmodEy4QmcMKgEb9cuGpLpNv9ooYpID of the logon process
Do BLUETOOTH:1 enroll: ¶
Body
{
"response": {
"address": "aabbccdd",
"name": "Bluetooth device"
},
"login_session_id": "KOYxcRUuuZxDsEhxiycof4XwcuI2lbwk"
}
Body
{
"method_id": "BLUETOOTH:1",
"status": "OK",
"reason": "",
"msg": "Enrollment complete",
"msgid": "AUCORE-3001"
}
Do BLUETOOTH:1 enroll:POST/api/v1/enroll/{enroll_process_id}/do_enroll
BLUETOOTH:1 enroll steps:
- Send mac address and device name
- enroll_process_id
string
(required) Example: JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVXID of the enroll process
Do BLUETOOTH:1 logon: ¶
Body
{
"endpoint_session_id": "4CkX5jecFnGrv4wIoP83ADpVORjk7zqZ"
}
Body
{
"logon_process_id": "tvV9a4UNEf71yvZDxwJQ179SJnHQndmT",
"current_method": "BLUETOOTH:1",
"reason": "BLUETOOTH_WAITING_AUTH_RESPONSE",
"event_data_id": "",
"msgid": "AUCORE-2059",
"plugins": [],
"hashes": [
'66fd6ef831e4ec98957030be94189a78ca3c2986dbed57a3b97985d862c217af'
],
"event_name": "TEST",
"msg": "Waiting for an authentication response",
"chains": [
{
"short_name": "",
"required_chain_id_hex": null,
"position": 0,
"is_enabled": true,
"methods": ["BLUETOOTH:1"],
"image_name": "BLUETOOTH_1.png",
"grace_period": null,
"name": "Test-chain",
"id_hex": "42b312980c8911e69140080027983191",
"apply_for_ep_owner": false,
"is_trusted": null
}
],
"completed_methods": [],
"status": "MORE_DATA"
}
Body
{
"response": {
"address": "aabbccdd"
},
"endpoint_session_id": "4CkX5jecFnGrv4wIoP83ADpVORjk7zqZ"
}
Body
{
"data_id": "",
"logon_process_id": "tvV9a4UNEf71yvZDxwJQ179SJnHQndmT",
"current_method": "BLUETOOTH:1",
"event_data_id": "",
"user_id": "3a76753d7f931751c79fa05d80eb058e",
"repo_id": "42987aa00c8911e69140080027983191",
"msgid": "AUCORE-2001",
"plugins": [],
"repo_obj_id": "42a3962e0c8911e69140080027983191",
"event_name": "TEST",
"msg": "Welcome!",
"chains": [
{
"short_name": "",
"required_chain_id_hex": null,
"position": 0,
"is_enabled": true,
"methods": ["BLUETOOTH:1"],
"image_name": "BLUETOOTH_1.png",
"grace_period": null,
"name": "Test-chain",
"id_hex": "42b312980c8911e69140080027983191",
"apply_for_ep_owner": false,
"is_trusted": null
}
],
"user_name": "LOCAL\USER1",
"completed_methods": ["BLUETOOTH:1"],
"status": "OK",
"login_session_id": "Cga6cvaMTaMTaDp5TLZHPOet29O808VL"
}
Do BLUETOOTH:1 logon:POST/api/v1/logon/do_logon
BLUETOOTH:1 logon steps:
-
Send empty request to do_logon to ask server for encrypted MAC address
-
Send mac address of enrolled device to do_logon
Do OAUTH2:1 enroll: ¶
Body
{
"login_session_id": "IxJq1C5Gt6VxGeF65YjKl5R99Q70Lf9H"
}
Body
{
"reason": "",
"method_id": "OAUTH2:1",
"status": "OK",
"msg": ""
}
Do OAUTH2:1 enroll:POST/api/v1/enroll/{enroll_process_id}/do_enroll
OAUTH2:1 enroll steps:
- Send empty request to do_enroll and check status
- enroll_process_id
string
(required) Example: JHAHdZiRKdaYcPhQUHcPYgYSElFcMBVXID of the enroll process
Do OAUTH2:1 logon: ¶
Body
{
"endpoint_session_id": "P7p3JJuenqo0SnyJ4HnbRbbJIqDhtt0u",
"response": {
"access_token": "access_token_value"
}
}
Body
{
"user_id": "4f34e2882991440ddd0fd515e0d0236c",
"completed_methods": [
"OAUTH2:1"
],
"repo_id": "3c9c1fd8061e11e6b224080027983191",
"status": "OK",
"repo_obj_id": "3caa08a0061e11e6b224080027983191",
"event_data_id": "",
"logon_process_id": "jImh3267QFyZ9pXjSGPj5EIhpKKU8Xu9",
"user_name": "LOCAL\ADMIN",
"login_session_id": "TmPxkC98vF4FGhDvqedjXItbmGjVJYTD",
"plugins": [],
"event_name": "",
"chains": [
{
"name": "TEST CHAIN",
"position": 1000,
"id_hex": null,
"apply_for_ep_owner": false,
"required_chain_id_hex": null,
"methods": [
"ANY"
],
"short_name": "",
"image_name": "ANY.png",
"is_trusted": null,
"is_enabled": true,
"grace_period": null
}
],
"current_method": "OAUTH2:1",
"msgid": "AUCORE-2001",
"msg": "Welcome!",
"data_id": ""
}
Do OAUTH2:1 logon:POST/api/v1/logon/{logon_process_id}/do_logon
OAUTH2:1 logon steps:
- Send access token to do_logon and check status
Error reasons:
-
OAUTH2_WRONG_TOKEN
-
INACTIVE_TOKEN
-
WRONG_USER
- logon_process_id
32 symbol id
(required) Example: TTPeglOJxUZ3R8IV3e5vwUgUQACs8fBSID of the logon process
Generated by aglio on 25 Jan 2018