Am Montag, den 25.01.2016, 01:28 -0800 schrieb MKS:
> Hello, Cornelius
>
> On Monday, January 25, 2016 at 10:45:53 AM UTC+2, Cornelius Kölbel
> wrote:
> Am Donnerstag, den 21.01.2016, 02:59 -0800 schrieb MKS:
> > Thank you, I moved one step forward.
> > Now I'm trying to check is user really has SMS token
> configured when
> > he press "Get SMS" button (which uses /validate/check url
> ).
> >
> > For user with disabled SMS token I'm still getting:
> > "detail": {"message": "Enter the OTP from the SMS:"},
> "versionnumber":
> > "2.9", "version": "privacyIDEA
> > 2.9", "result": {"status": true, "value": false}, "time":
> > 1453372931.413365, "id": 1}
>
> If the SMS token is disabled the SMS should not be sent.
> Since
> authentication will not work anyway. Do you receive an SMS?
> Maybe we might have to do a small fix here.
> No SMS were not send. But our login script would be confusing for
> users during login process, with this message from privacyIDEA )
You may check for the transaction_id.
Meanwhile, I will see to not return detail->message if the token is
inactive.
>
>
> >
> > For user without SMS tokens response are same as for user
> with wrong
> > password:
> > "detail": {"message": "wrong otp pin"}, "versionnumber":
> "2.9",
> > "version": "privacyIDEA 2.9", "result"
> > : {"status": true, "value": false}, "time":
> 1453373017.457972, "id":
> > 1}
>
> I assume the user has another token and thus you get this
> response.
>
> Yes.
That is the reason why.
>
>
> >
> > As far as I understand I should stick on status-value pairs
> for all
> > checks via API, but what condition should be used to tell
> that user
> > has no option to get SMS and hide "Get SMS" button for him
> after first
> > try?
>
> There is no simple way to receive this information.
> In fact it would leak information for the attacker, wouldn't
> it?
>
> Well, since privacyIDEA has polices may be it would be possible to has
> some trusted subnet for internal users or something like this.
> BTW, is it possible to have additional key for API to specify real
> user IP? Same thing as mod_rpaf for Apache do, when it sitting behind
> Nginx. In current configuration I'm planning to hide privacyIDE check
> url and restrict it for all, except server with TFA login page. So all
> requests to check would be arrive from single IP address.
You did not explain your setup and I do not understand it.
Please take a look at the services for specific consultancy.
https://netknights.it/en/leistungen/support/
Kind regards
Cornelius
>
>
> --
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to
privacyidea...@googlegroups.com.
> To post to this group, send email to
priva...@googlegroups.com.
> To view this discussion on the web visit
>
https://groups.google.com/d/msgid/privacyidea/f15b75b7-e6e0-4867-b357-a0f865ac2e38%40googlegroups.com.