Moderator: crythias
I'd strongly recommend some other way of passing authorized creds. Or at least trusting the source of the creds so you can accept the username and maybe a keyhash instead of a plaintext password.in the url parameters I pass CustomerUserLogin or UserLogin and Password and it works perfectly.
My suggestion would be to ignore the MFA in the api or make sure the MFA works in the source authentication.But now I've also setup TwoFactorAuthentication for some of my users and I want to authenticate with the api.
I understand it is insecure, I am just testing, but if wanted what methods for authentication does OTRS provide, can I send a JSON body with the information, oAuth or do with headers Authorization Basic or a token??You are showing us in your screenshot how insecure your app is in the first place.
Is there a setting to disable MFA for the api in OTRS?My suggestion would be to ignore the MFA in the api or make sure the MFA works in the source authentication.
Thanks for the help.crythias wrote: ↑27 Apr 2021, 19:48 Among other methods, I'd lean toward the HTTPBasicAuth and then focus on the web server's authentication.
https://doc.otrs.com/doc/manual/admin/6 ... h-backends
It really depends on what is the source of the data. I'm personally using AzureAD with Auth0 for SSO. Although I've also used Kerberos. But in both cases I've changed authentication to HTTPBasicAuth and focused on external authentication.
https://doc.otrs.com/doc/manual/admin/6 ... .12.10.7.4
viewtopic.php?f=60&t=42397
But this doesn't necessarily address the API part of it (except the idea that the API is available through the web interface).
I may not be the best source of information on this, so if you don't hear from me, it's just because I don't hang out too much here. Maybe someone else might be able to assist.
Thanks, I got it working.
