Hello, I've setup an api and in the url parameters I pass CustomerUserLogin or UserLogin and Password and it works perfectly.
But now I've also setup TwoFactorAuthentication for some of my users and I want to authenticate with the api. I'ev tried a paremeter TwoFactorToken but it didn't work.
If someone knows how to authenticate with the TwoFactorAuthentication. Please let me know.
Thanks.
OTRS REST API With Two Factor Authentication
Moderator: crythias
-
- Moderator
- Posts: 10169
- Joined: 04 May 2010, 18:38
- Znuny Version: 5.0.x
- Location: SouthWest Florida, USA
- Contact:
Re: OTRS REST API With Two Factor Authentication
I'd strongly recommend some other way of passing authorized creds. Or at least trusting the source of the creds so you can accept the username and maybe a keyhash instead of a plaintext password.in the url parameters I pass CustomerUserLogin or UserLogin and Password and it works perfectly.
My suggestion would be to ignore the MFA in the api or make sure the MFA works in the source authentication.But now I've also setup TwoFactorAuthentication for some of my users and I want to authenticate with the api.
There are a lot of missing pieces to discuss to get this to be proper for your implementation. You are showing us in your screenshot how insecure your app is in the first place. There is never any good reason a password should be visible in a URI/URL.
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
-
- Znuny newbie
- Posts: 4
- Joined: 29 Mar 2021, 05:05
- Znuny Version: 6.0.30
- Real Name: Rúben Neto
Re: OTRS REST API With Two Factor Authentication
I understand it is insecure, I am just testing, but if wanted what methods for authentication does OTRS provide, can I send a JSON body with the information, oAuth or do with headers Authorization Basic or a token??You are showing us in your screenshot how insecure your app is in the first place.
Is there a setting to disable MFA for the api in OTRS?My suggestion would be to ignore the MFA in the api or make sure the MFA works in the source authentication.
-
- Moderator
- Posts: 10169
- Joined: 04 May 2010, 18:38
- Znuny Version: 5.0.x
- Location: SouthWest Florida, USA
- Contact:
Re: OTRS REST API With Two Factor Authentication
Among other methods, I'd lean toward the HTTPBasicAuth and then focus on the web server's authentication.
https://doc.otrs.com/doc/manual/admin/6 ... h-backends
It really depends on what is the source of the data. I'm personally using AzureAD with Auth0 for SSO. Although I've also used Kerberos. But in both cases I've changed authentication to HTTPBasicAuth and focused on external authentication.
https://doc.otrs.com/doc/manual/admin/6 ... .12.10.7.4
viewtopic.php?f=60&t=42397
But this doesn't necessarily address the API part of it (except the idea that the API is available through the web interface).
I may not be the best source of information on this, so if you don't hear from me, it's just because I don't hang out too much here. Maybe someone else might be able to assist.
https://doc.otrs.com/doc/manual/admin/6 ... h-backends
It really depends on what is the source of the data. I'm personally using AzureAD with Auth0 for SSO. Although I've also used Kerberos. But in both cases I've changed authentication to HTTPBasicAuth and focused on external authentication.
https://doc.otrs.com/doc/manual/admin/6 ... .12.10.7.4
viewtopic.php?f=60&t=42397
But this doesn't necessarily address the API part of it (except the idea that the API is available through the web interface).
I may not be the best source of information on this, so if you don't hear from me, it's just because I don't hang out too much here. Maybe someone else might be able to assist.
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
-
- Znuny newbie
- Posts: 4
- Joined: 29 Mar 2021, 05:05
- Znuny Version: 6.0.30
- Real Name: Rúben Neto
Re: OTRS REST API With Two Factor Authentication
Thanks for the help.crythias wrote: ↑27 Apr 2021, 19:48 Among other methods, I'd lean toward the HTTPBasicAuth and then focus on the web server's authentication.
https://doc.otrs.com/doc/manual/admin/6 ... h-backends
It really depends on what is the source of the data. I'm personally using AzureAD with Auth0 for SSO. Although I've also used Kerberos. But in both cases I've changed authentication to HTTPBasicAuth and focused on external authentication.
https://doc.otrs.com/doc/manual/admin/6 ... .12.10.7.4
viewtopic.php?f=60&t=42397
But this doesn't necessarily address the API part of it (except the idea that the API is available through the web interface).
I may not be the best source of information on this, so if you don't hear from me, it's just because I don't hang out too much here. Maybe someone else might be able to assist.
Any idea on how to disable/ignore MFA for the api, is there any configuration I can do in the web service or in system configuration?
-
- Administrator
- Posts: 3981
- Joined: 18 Dec 2007, 12:23
- Znuny Version: Znuny and Znuny LTS
- Real Name: Roy Kaldung
- Company: Znuny
- Contact:
Re: OTRS REST API With Two Factor Authentication
Hi,
You should be able to use an additional AuthModule without 2FA to solve this. Znuny / OTRS uses only 2FA if there is a matching module configured for the AuthModule.
- AuthModule needs AuthTwoFactorModule
- AuthModule1 needs AuthTwoFactorModule1
- ...
- Roy
You should be able to use an additional AuthModule without 2FA to solve this. Znuny / OTRS uses only 2FA if there is a matching module configured for the AuthModule.
- AuthModule needs AuthTwoFactorModule
- AuthModule1 needs AuthTwoFactorModule1
- ...
- Roy
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO
Use a test system - always.
Do you need professional services? Check out https://www.znuny.com/
Do you want to contribute or want to know where it goes ?
Use a test system - always.
Do you need professional services? Check out https://www.znuny.com/
Do you want to contribute or want to know where it goes ?
-
- Znuny newbie
- Posts: 4
- Joined: 29 Mar 2021, 05:05
- Znuny Version: 6.0.30
- Real Name: Rúben Neto
Re: OTRS REST API With Two Factor Authentication
Thanks, I got it working.
Re: OTRS REST API With Two Factor Authentication
Hola, Como estan? tambien me esta pasando lo mismo tras implementacion de Two Factor. Me podrian dar mas detalle de la solucion que encontraron ? Desde ya muchas gracias.
Cabe destacar que antes de la implementacion del Two Factor, usaba este codigo el cual funcionaba perfectamente...
$body = "{ `"UserLogin`": `"$UserName`", `"Password`": `"$Password`", `"ConfigItem`": { `"Class`": `"Servidores Virtuales`", `"Name`": `"*$NameCsv*`" }}"
CODIGO CON ERROR.
$body = "{ `"UserLogin`": `"$UserName`", `"Password`": `"$Password`", `"TwoFactorToken`": `"$pin`", `"ConfigItem`": { `"Class`": `"Servidores Virtuales`", `"Name`": `"*$NameCsv*`" }}"
Cabe destacar que antes de la implementacion del Two Factor, usaba este codigo el cual funcionaba perfectamente...
$body = "{ `"UserLogin`": `"$UserName`", `"Password`": `"$Password`", `"ConfigItem`": { `"Class`": `"Servidores Virtuales`", `"Name`": `"*$NameCsv*`" }}"
CODIGO CON ERROR.
$body = "{ `"UserLogin`": `"$UserName`", `"Password`": `"$Password`", `"TwoFactorToken`": `"$pin`", `"ConfigItem`": { `"Class`": `"Servidores Virtuales`", `"Name`": `"*$NameCsv*`" }}"
You do not have the required permissions to view the files attached to this post.