/// <summary>
/// Trigger challenges for the given user using a service account.
/// </summary>
/// <param name="username">username to trigger challenges for</param>
/// <param name="domain">optional domain which can be mapped to a privacyIDEA realm</param>
/// <returns>PIResponse object or null on error</returns>
public PIResponse TriggerChallenges(string username, string domain = null)
{
if (!GetAuthToken())
{
Error("Unable to trigger challenges without an auth token!");
return(null);
}
var parameters = new Dictionary <string, string>
{
{ "user", username }
};
AddRealmForDomain(domain, parameters);
string response = SendRequest("/validate/triggerchallenge", parameters);
PIResponse ret = PIResponse.FromJSON(response, this);
return(ret);
}
/// <summary>
/// Authenticate using the /validate/check endpoint with the username and OTP value.
/// Optionally, a transaction id can be provided if authentication is done using challenge-response.
/// </summary>
/// <param name="user">username</param>
/// <param name="otp">OTP</param>
/// <param name="transactionid">optional transaction id to refer to a challenge</param>
/// <param name="domain">optional domain which can be mapped to a privacyIDEA realm</param>
/// <returns>PIResponse object or null on error</returns>
public PIResponse ValidateCheck(string user, string otp, string transactionid = null, string domain = null)
{
var parameters = new Dictionary <string, string>
{
{ "user", user },
{ "pass", otp }
};
if (transactionid != null)
{
parameters.Add("transaction_id", transactionid);
}
AddRealmForDomain(domain, parameters);
string response = SendRequest("/validate/check", parameters, new List <KeyValuePair <string, string> >());
return(PIResponse.FromJSON(response, this));
}
/// <summary>
/// Authenticate at the /validate/check endpoint using a WebAuthn token instead of the usual OTP value.
/// This requires the WebAuthnSignResponse and the Origin from the browser.
/// </summary>
/// <param name="user">username</param>
/// <param name="transactionid">transaction id of the webauthn challenge</param>
/// <param name="webAuthnSignResponse">the WebAuthnSignResponse string in json format as returned from the browser</param>
/// <param name="origin">origin also returned by the browser</param>
/// <param name="domain">optional domain which can be mapped to a privacyIDEA realm</param>
/// <returns>PIResponse object or null on error</returns>
public PIResponse ValidateCheckWebAuthn(string user, string transactionid, string webAuthnSignResponse, string origin, string domain = null)
{
if (string.IsNullOrEmpty(user) || string.IsNullOrEmpty(transactionid) || string.IsNullOrEmpty(webAuthnSignResponse) || string.IsNullOrEmpty(origin))
{
Log("ValidateCheckWebAuthn called with missing parameter: user="******", transactionid=" + transactionid
+ ", WebAuthnSignResponse=" + webAuthnSignResponse + ", origin=" + origin);
return(null);
}
// Parse the WebAuthnSignResponse and add mandatory parameters
JToken root;
try
{
root = JToken.Parse(webAuthnSignResponse);
}
catch (JsonReaderException jex)
{
Error("WebAuthnSignRequest does not have the required format! " + jex.Message);
return(null);
}
string credentialid = (string)root["credentialid"];
string clientdata = (string)root["clientdata"];
string signaturedata = (string)root["signaturedata"];
string authenticatordata = (string)root["authenticatordata"];
var parameters = new Dictionary <string, string>
{
{ "user", user },
{ "pass", "" },
{ "transaction_id", transactionid },
{ "credentialid", credentialid },
{ "clientdata", clientdata },
{ "signaturedata", signaturedata },
{ "authenticatordata", authenticatordata }
};
// Optionally add UserHandle and AssertionClientExtensions
string userhandle = (string)root["userhandle"];
if (!string.IsNullOrEmpty(userhandle))
{
parameters.Add("userhandle", userhandle);
}
string ace = (string)root["assertionclientextensions"];
if (!string.IsNullOrEmpty(ace))
{
parameters.Add("assertionclientextensions", ace);
}
AddRealmForDomain(domain, parameters);
// The origin has to be set in the header for WebAuthn authentication
var headers = new List <KeyValuePair <string, string> >
{
new KeyValuePair <string, string>("Origin", origin)
};
string response = SendRequest("/validate/check", parameters, headers);
return(PIResponse.FromJSON(response, this));
}