16.2.1.15.5. HOTP Token

class privacyidea.lib.tokens.hotptoken.HotpTokenClass(db_token)[source]

hotp token class implementation

Create a new HOTP Token object

Parameters:

db_token (DB object) – instance of the orm db object

can_verify_enrollment = True
check_otp(anOtpVal, counter=None, window=None, options=None)[source]

check if the given OTP value is valid for this token.

Parameters:

  • anOtpVal (string) – the to be verified otpvalue

  • counter (int) – the counter state, that should be verified

  • window (int) – the counter +window, which should be checked

  • options (dict) – the dict, which could contain token specific info

Returns:

the counter state or -1

Return type:

int

check_otp_exist(otp: str, window: int = 10, symetric: bool = False, inc_counter: bool = True, counter: int = None) int[source]

checks if the given OTP value is/are values of this very token. This is used to autoassign and to determine the serial number of a token.

Parameters:

  • otp – the to be verified otp value

  • window – the lookahead window for the counter

  • inc_counter – True if the counter shall be increased for a valid OTP, False otherwise

  • counter – The counter to be used to calculate the correct OTP value. If None the internal counter of the token is used.

Returns:

counter or -1 if otp does not exist

desc_hash_func = l'Specify the hashing function to be used. Can be SHA1, SHA256 or SHA512.'
desc_otp_len = l'Specify the OTP length to be used. Can be 6 or 8 digits.'
desc_two_step_admin = l'Specify whether admins are allowed or forced to use two-step enrollment.'
desc_two_step_user = l'Specify whether users are allowed or forced to use two-step enrollment.'
classmethod enroll_via_validate(g, content, user_obj, message=None)[source]

This class method is used in the policy ENROLL_VIA_MULTICHALLENGE. It enrolls a new token of this type and returns the necessary information to the client by modifying the content.

Parameters:

  • g – context object

  • content – The content of a response

  • user_obj – A user object

  • message – An alternative message displayed to the user during enrollment

Returns:

None, the content is modified

export_token(export_user: bool = False) dict[source]

Create a dictionary with the token information that can be exported.

generate_symmetric_key(server_component, client_component, options=None)[source]

Generate a composite key from a server and client component using a PBKDF2-based scheme.

Parameters:

  • server_component (hex string) – The component usually generated by privacyIDEA

  • client_component (hex string) – The component usually generated by the client (e.g. smartphone)

  • options

Returns:

the new generated key as hex string

Return type:

str

static get_class_info(key=None, ret='all')[source]

returns a subtree of the token definition Is used by lib.token.get_token_info

Parameters:

  • key (string) – subsection identifier

  • ret (user defined) – default return value, if nothing is found

Returns:

subsection if key exists or user defined

Return type:

dict

static get_class_prefix()[source]

Return the prefix, that is used as a prefix for the serial numbers. :return: oath

static get_class_type()[source]

return the token type shortname

Returns:

‘hotp’

Return type:

string

classmethod get_default_settings(g, params)[source]

This method returns a dictionary with default settings for token enrollment. These default settings are defined in SCOPE.USER or SCOPE.ADMIN and are hotp_hashlib, hotp_otplen. If these are set, the user or admin will only be able to enroll tokens with these values.

The returned dictionary is added to the parameters of the API call.

Parameters:

  • g – context object, see documentation of Match

  • params (dict) – The call parameters

Returns:

default parameters

get_enroll_url(user: User, params: dict) str[source]

Return the URL to enroll this token.

Parameters:

  • user – The user object

  • params – Further parameters

Returns:

The URL containing all required information to enroll the token

static get_import_csv(l)[source]

Read the list from a csv file and return a dictionary, that can be used to do a token_init.

Parameters:

l (list) – The list of the line of a csv file

Returns:

A dictionary of init params

get_init_detail(params=None, user=None)[source]

to complete the token initialization some additional details should be returned, which are displayed at the end of the token initialization. This is the e.g. the enrollment URL for a Google Authenticator.

get_multi_otp(count=0, epoch_start=0, epoch_end=0, curTime=None, timestamp=None, counter_index=False)[source]

return a dictionary of multiple future OTP values of the HOTP/HMAC token

WARNING: the dict that is returned contains a sequence number as key.

This it NOT the otp counter!

Parameters:

  • count (int) – how many otp values should be returned

  • epoch_start – Not used in HOTP

  • epoch_end – Not used in HOTP

  • curTime – Not used in HOTP

  • timestamp – not used in HOTP

  • counter_index – whether the counter should be used as index

Returns:

tuple of status: boolean, error: text and the OTP dictionary

get_otp(current_time=None)[source]

return the next otp value

Parameters:

current_time – Not Used in HOTP

Returns:

next otp value and PIN if possible

Return type:

tuple

static get_setting_type(key)[source]

This function returns the type of the token specific config/setting. This way a tokenclass can define settings, that can be “public” or a “password”. If this setting is written to the database, the type of the setting is set automatically in set_privacyidea_config

The key name needs to start with the token type.

Parameters:

key – The token specific setting key

Returns:

A string like “public”

static get_sync_timeout()[source]

get the token sync timeout value

Returns:

timeout value in seconds

Return type:

int

has_further_challenge(options=None)[source]
Parameters:

options

Returns:

property hashlib
import_token(token_information: dict)[source]

Import a hotp token.

classmethod is_multichallenge_enrollable()[source]
is_previous_otp(otp)[source]

Check if the OTP values was previously used.

Parameters:

otp

Returns:

prepare_verify_enrollment(options=None)[source]

This is called, if the token should be enrolled in a way, that the user needs to provide a proof, that the server can verify, that the token was successfully enrolled. E.g. with HOTP tokens the user might need to provide a correct OTP value.

The returned dictionary is added to the response in “detail” -> “verify”.

Returns:

A dictionary with information that is needed to trigger the verification.

previous_otp_offset = 1
resync(otp1, otp2, options=None)[source]

resync the token based on two otp values

Parameters:

  • otp1 (string) – the first otp value

  • otp2 (string) – the second otp value

  • options (dict or None) – optional token specific parameters

Returns:

counter or -1 if otp does not exist

Return type:

int

update(param, reset_failcount=True)[source]

process the initialization parameters

Do we really always need an otpkey? the otpKey is handled in the parent class

Parameters:

  • param (dict) – dict of initialization parameters

  • reset_failcount (bool) – reset the failcount

verify_enrollment(verify)[source]

This is called during the 2nd step of the verified enrollment. This method verifies the actual response from the user. Returns true, if the verification was successful.

Parameters:

verify – The response given by the user

Returns:

True