You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by MAURIZI Lorenzo <l....@comune.jesi.an.it> on 2022/05/10 13:00:26 UTC

REST API authentication with TOTP extension

Dear all,
just after solving a problem, here I am with another one!

I would like to build some automated reports, for example a daily e-mail with the list of the connections made in the previous day.
For this task, I've been thinking about using REST API.

I would be happy to share the resulting bash script if anyone interested.

In my installation the TOTP 2FA extension is active, so when sending username and password to /api/tokens, I obtain this json response:

{
   "message": "A TOTP authentication code is required before login can continue",
   "translatableMessage":    {
      "key": "TOTP.INFO_CODE_REQUIRED",
      "variables": null
   },
   "statusCode": null,
   "expected": [   {
      "name": "guac-totp",
      "type": "GUAC_TOTP_CODE"
   }],
   "type": "INSUFFICIENT_CREDENTIALS"
}

I tried to put a third guac-totp parameter to the /api/tokens POST data alongside username and  password, but without success, as it returns the same message.

Which is the correct way to handle API authentication when using the TOTP extension?
I'm sorry but I didn't find any documentation about this issue.

TIA for any help.
Best Regards.
Lorenzo

Re: REST API authentication with TOTP extension

Posted by Nick Couchman <vn...@apache.org>.
On Wed, May 11, 2022 at 4:00 AM MAURIZI Lorenzo <l....@comune.jesi.an.it>
wrote:

> Thank you Mike for pointing out that I can see API requests with dev tools
> of the browser.
>
> And, after working a little with curl, oathtool, jq etc, I can login
> correctly into Guacamole API. I don’t know why it didn’t work with SOAPUI.
>
>
>

It's possible it has something to do with the format of the body has being
sent to the API endpoint - that is, raw vs form, etc.

-Nick

>

R: REST API authentication with TOTP extension

Posted by MAURIZI Lorenzo <l....@comune.jesi.an.it>.
Thank you Mike for pointing out that I can see API requests with dev tools of the browser.
And, after working a little with curl, oathtool, jq etc, I can login correctly into Guacamole API. I don’t know why it didn’t work with SOAPUI.

Best regards.


Da: Michael Jumper <mj...@apache.org>
Inviato: mercoledì 11 maggio 2022 07:53
A: user@guacamole.apache.org
Oggetto: Re: REST API authentication with TOTP extension

On Tue, May 10, 2022, 06:00 MAURIZI Lorenzo <l....@comune.jesi.an.it>> wrote:
Dear all,
just after solving a problem, here I am with another one!

I would like to build some automated reports, for example a daily e-mail with the list of the connections made in the previous day.
For this task, I've been thinking about using REST API.

I would be happy to share the resulting bash script if anyone interested.

In my installation the TOTP 2FA extension is active, so when sending username and password to /api/tokens, I obtain this json response:

{
   "message": "A TOTP authentication code is required before login can continue",
   "translatableMessage":    {
      "key": "TOTP.INFO_CODE_REQUIRED",
      "variables": null
   },
   "statusCode": null,
   "expected": [   {
      "name": "guac-totp",
      "type": "GUAC_TOTP_CODE"
   }],
   "type": "INSUFFICIENT_CREDENTIALS"
}

I tried to put a third guac-totp parameter to the /api/tokens POST data alongside username and  password, but without success, as it returns the same message.

Which is the correct way to handle API authentication when using the TOTP extension?

That is the correct way to handle the request. In addition to the correct username and password, include the current, correct TOTP code for that user as the "guac-totp" parameter.

You can see this happen in practice if you open up dev tools in your browser, log in with your own user account, and observe the contents of the successful POST to /api/tokens.

- Mike

Re: REST API authentication with TOTP extension

Posted by Michael Jumper <mj...@apache.org>.
On Tue, May 10, 2022, 06:00 MAURIZI Lorenzo <l....@comune.jesi.an.it>
wrote:

> Dear all,
>
> just after solving a problem, here I am with another one!
>
>
>
> I would like to build some automated reports, for example a daily e-mail
> with the list of the connections made in the previous day.
>
> For this task, I've been thinking about using REST API.
>
>
>
> I would be happy to share the resulting bash script if anyone interested.
>
>
>
> In my installation the TOTP 2FA extension is active, so when sending
> username and password to /api/tokens, I obtain this json response:
>
>
>
> {
>    "message": "A TOTP authentication code is required before login can
> continue",
>    "translatableMessage":    {
>       "key": "TOTP.INFO_CODE_REQUIRED",
>       "variables": null
>    },
>    "statusCode": null,
>    "expected": [   {
>       "name": "guac-totp",
>       "type": "GUAC_TOTP_CODE"
>    }],
>    "type": "INSUFFICIENT_CREDENTIALS"
> }
>
>
>
> I tried to put a third guac-totp parameter to the /api/tokens POST data
> alongside username and  password, but without success, as it returns the
> same message.
>
>
>
> Which is the correct way to handle API authentication when using the TOTP
> extension?
>

That is the correct way to handle the request. In addition to the correct
username and password, include the current, correct TOTP code for that user
as the "guac-totp" parameter.

You can see this happen in practice if you open up dev tools in your
browser, log in with your own user account, and observe the contents of the
successful POST to /api/tokens.

- Mike