How to setup the HTTP API for Token OTP authentication

This article will describe how to setup the HTTP API for Token OTP Authentication. Token OTPs can be produced from a mobile app (PhenixID OneTouch, PhenixID PocketPass, Google Authenticator, MS Authenticator etc) or a hardware token  (Yubikey, Feitian etc).

Prerequisites

- PAS 3.0 or higher installed

- Token OTP app / hardware enrolled (for test)

Authentication

It is recommended to add authentication to the API. These authentication methods are supported:

- Client certificate (recommended).
Use a reverse proxy to add client certificate authentication. Add valves to the pipe(s) to verify the certificate.

- Basic authentication
Add valves to the pipes to perform basic authentication verification.

Add local http-api module

- Login to configuration manager

- Click the Advanced tab

- Open Modules (click on the pen)

- Add this module (if module is already added, only add tenant and/or allowedOperation):

{
		"module": "com.phenixidentity~phenix-api-authenticate",
		"enabled": "true",
		"config": {
                     "http_configuration_ref": "d8baaa02-2ead-473c-88b8-a7aa08a53332",
                     "tenant": [
				{
					"id": "ot",
					"displayName": "Tenant1",
					"allowedOperation": [
						"otp_token_auth"
					]
}
			]
		},
		"id": "authapi_module"
	}

- Replace the http_configuration_ref with used http listener

- Click Stage Changes and Commit Changes

- Open NODE_GROUPS (click on the pen)

- Add id of the newly added module to module_refs. Example below. (You can skip this step if the module was already added)

{
		"name": "WIN-DHB3ICNDG4E",
		"description": "Default node (created automatically)",
		"config": {
			"module_refs": "authapi_module,sealapp,signapp_1,......"
		},
		"created": "2017-07-03T11:38:03.135Z",
		"id": "493afd0e-0fe8-40e4-b1a1-a24a5e2df6e2",
		"modified": "2017-07-03T14:39:43.257Z"
	}

- Click Stage Changes and Commit Changes

 

Add pipe to verify OTP token

- Click the Advanced tab

- Open Pipes (click on the pen)

- Add  pipe.

{
		"id": "otp_token_auth",
		"description": "OTP Token auth",
		"valves": [
			{
				"name": "ItemCreateValve",
				"config": {
					"dest_id": "{{request.username}}"
				}
			},
			{
				"name": "TokenValidationValve",
				"config": {
					"provided_otp_param_name": "{{request.otp}}",
					"userid_param_name": "{{request.username}}"
				}
			}
		]
	},

- Click Stage Changes and Commit Changes

 NB! Please read the TokenValidationValve documentation for additional details (for example, how to verify yubikey otps)

Test

Use a HTTP rest client for testing and debugging. Please review the developer guide for further instructions.