Skip to main content
Version: 2.82.x.x LTS

IdmShareOTPState

This AuthState is a processing AuthState.

This IDM auth plug-in is used for exposing OATH credentials to the user.

TopicDescription
Classch.nevis.idm.authstate.IdmShareOTPState
LoggingIdmAuth
MarkerNone
Propertiescredential.id: The extId of the credential for which the QR code of the credential needs to be displayed. (Required)
resultCondition: The condition when the attributes should be cleared from the session and the transition OK should be set. The default configuration is triggered if the "inargs" parameter "result" is set. This is equivalent to clicking a button with the name "result". Default: "${inargs:result}"
client.name (defined in the chapter "Default input properties")
Methodsprocess (all events)
Input
Transitionsok: The secret was shared successfully.
failed: The authentication failed. More info can be found in the error attributes of the response and in the log.
showGui: The QR code is fetched successfully and put in the session for displaying.
This transition is deprecated. Use the default transition instead.
secretAlreadyShared: The secret of the OATH credential was already shared. It is not possible to share it again.
noCredential: The user does not have a credential with the specified type in nevisIDM. Use transition to fallback to another (strong) authentication mechanism.
clientNotFound: No client was provided or no client was found with the provided name or extId.
OutputThe following attributes will be written into notes after successful retrieval:
  • oath_qrcode: The base64 encoded QR code image (PNG).
  • oath_qrcodeContent: The content of the QR code in plain string. It is the concatenation of the OATH attributes in a URL format. For example: otpauth://totp/Issuer:Account?secret=JBSWY3DPEHPK3PXP&issuer=Issuer&algorithm=SHA1&digits=6
  • oath_type: The type of the OATH credential. It can be "hotp" or "totp"
  • oath_algorithm: The hashing algorithm used to calculate the tokens.
  • oath_digits: The length of the generated token.
  • oath_period:The time window how long a totp token is valid in seconds.
  • oath_counter:The current state of the OATH counter.
  • oath_account: The account name. This will be shown in the Mobile App for User.
  • oath_issuer: The issuer is indicating the provider or service this OATH credential is associated with.
  • oath_secret: The secret that is required to initialize the mobile application.
Errors1: client not found; 11: no credential; 11: credential is already shared; 11: No credential or the credential does not belongs to the authenticated user.

Example

 <AuthState name="ShareOATH" class="ch.nevis.idm.authstate.IdmShareOTPState"
final="false">
<ResultCond name="ok" next="IdmPostProcessing" />
<ResultCond name="failed" next="FailedToShareOATH" />
<ResultCond name="noCredential" next="NoCredentialExists"/>
<ResultCond name="secretAlreadyShared" next="OATHSharedAlready"/>
<Response value="AUTH_CONTINUE">
<Gui name="OathGui" label="Scan this QR code with your mobile device!">
<GuiElem name="lasterror" type="error" label="${notes:lasterrorinfo}" value="${notes:lasterror}" />
<GuiElem name="qrcodeimage" type="image" value="${notes:oath_qrcode}"/>
<GuiElem name="infotext" type="info" label="Use FreeOTP or an
other HOTP/TOTP App to scan the QR code." />
<GuiElem name="result" type="button" label="gui.button.continue" value="Continue" />
</Gui>
</Response>
<property name="credential.id" value="${sess:credExtId}" />
</AuthState>