Table of Contents |
---|
Overview
...
To enable token authentication, a few configuration settings must be added to to /usr/local/omk/conf/opCommon.nmis
for legacy modules or /usr/local/omk/conf/opCommon.json
for current:
- One or more shared keys must be set up in
auth_token_key
, - optionally, the maximum validity for tokens may be specified in
auth_token_maxage
, - and finally, the authentication method
token
must be added as one of the three supported authentication methods.
...
Once the client has accessed the first page, they have been issued auth cookies and all standard URLs work without the token string in the URL. You will want to consider how the user is handled to re-authenticate them if the session expires.
Using the token based authentication in the header
We can make API requests against the Opmantek product by passing your generated token within the header of your request.
Code Block | ||
---|---|---|
| ||
Authorization: Token <data> |
Token Content and Interoperability Notes
...
Code Block |
---|
#!/usr/bin/perl use strict; use Crypt::CBC; my ($key, $username, $tokentime) = @ARGV; die "Usage: $0 <key> <username> [timestamp] key: passphrase of arbitrary length. timestamp: optional, default: now\n" if (!$key or !$username or (defined $tokentime && !int($tokentime))); $tokentime ||= time; # what goes into the token? the token time stamp (in unix-seconds, UTC), # as a plain string, followed by exactly one space and the username. my $plain = $tokentime." ".$username; # defaults: RFC2898/pkcs#5 padding, openssl-compatible salted header mode, # and openssl-compatible key derivation function (PBKDF) - # see https://www.openssl.org/docs/man1.1.0/crypto/EVP_BytesToKey.html # but crypt::cbc's default keysize is an incompatible 64 bits my $engine = Crypt::CBC->new(-key => $key, -cipher => "Rijndael", -keysize => 128/8); my $crypted = $engine->encrypt_hex($plain); print $crypted,"\n"; exit 0; |
Shell using the OpenSSL CLI
...
Code Block |
---|
#!/bin/sh KEY=$1 USER=$2 TEMPFILE=`mktemp /tmp/gentoken.XXXXXX` NOW=`date +%s` echo -n "$NOW $USER" > $TEMPFILE # see man enc: -salt -e are default, could be omitted; # openssl requires a real file as input, so we need a temp file # hexdump converts the binary bytes into their hex representation openssl aes-128-cbc -in $TEMPFILE -salt -e -pass "pass:$KEY" | \ hexdump -v -e '/1 "%02x"' echo rm -f $TEMPFILE exit 0 |
...
Python
Python's pycrypto module should contain everything required, except the OpenSSL-specific PBKDF which can be found here.