Versions Compared

Old Version 5

changes.mady.by.user Nick Day

Saved on

compared with

New Version Current

changes.mady.by.user John Sinclair

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


 

Table of Contents

Overview

...

To enable token authentication, a few configuration settings must be added to to /usr/local/omk/conf/opCommon.nmis for legacy modules or /usr/local/omk/conf/opCommon.json for current:

  1. One or more shared keys must be set up in auth_token_key,
  2. optionally, the maximum validity for tokens may be specified in auth_token_maxage,
  3. and finally, the authentication method token must be added as one of the three supported authentication methods.

...

If you need to direct the user to a particular page rather than their Default page/Dashboard you can extend the authentication URL with "?redirect_url="  for example with the token above we can direct someone directly to the topn page as follows:

https://testsystem1.opmantek.com/omk/opCharts/login/53616c7465645f5fd95eadb039692ea599441f8089daf1d7f04ab9ccf479e37fb3afda85b3044f4cde5b15844e9be616?redirect_url=omk/opCharts//omk/opCharts/topn

Once someone is authenticated the client has accessed the first time page, they have suitable been issued auth cookies and all standard URLs work without the token strings work fine (until the time out is reached of course)string in the URL.  You will want to consider how the user is handled to re-authenticate them if the session expires.

Using the token based authentication in the header

We can make API requests against the Opmantek product by passing your generated token within the header of your request.

Code Block
languagebash
Authorization: Token <data>


Token Content and Interoperability Notes

...

Code Block
#!/usr/bin/perl
use strict;
use Crypt::CBC;

my ($key, $username, $tokentime) = @ARGV;
die "Usage: $0 <key> <username> [timestamp]
key: passphrase of arbitrary length.
timestamp: optional, default: now\n"
        if (!$key or !$username or (defined $tokentime && !int($tokentime)));
$tokentime ||= time;

#  what goes into the token? the token time stamp (in unix-seconds, UTC),
# as a plain string, followed by exactly one space and the username.
my $plain = $tokentime." ".$username;

# defaults: RFC2898/pkcs#5 padding, openssl-compatible salted header mode,
# and openssl-compatible key derivation function (PBKDF) -
# see https://www.openssl.org/docs/man1.1.0/crypto/EVP_BytesToKey.html
# but crypt::cbc's default keysize is an incompatible 64 bits
my $engine = Crypt::CBC->new(-key => $key,
                                                         -cipher => "Rijndael",
                                                         -keysize => 128/8);
my $crypted = $engine->encrypt_hex($plain);

print $crypted,"\n";
exit 0;

 


Shell using the OpenSSL CLI

...

Code Block
#!/bin/sh
KEY=$1
USER=$2
TEMPFILE=`mktemp /tmp/gentoken.XXXXXX`
NOW=`date +%s`
echo -n "$NOW $USER" > $TEMPFILE
# see man enc: -salt -e are default, could be omitted;
# openssl requires a real file as input, so we need a temp file
# hexdump converts the binary bytes into their hex representation
openssl aes-128-cbc -in $TEMPFILE -salt -e -pass "pass:$KEY" | \
        hexdump -v -e '/1 "%02x"'
echo
rm -f $TEMPFILE
exit 0

...


Python
Python's pycrypto module should contain everything  required, except the OpenSSL-specific PBKDF which can be found  here.