Table of Contents
API requests
The API request is a Http POST request to /api/.
A check request detects if
- the given application id exists
- the token is ok
- correct value
- timestamp is wihin 60 sec
- used only once
- a user
- needs to setup (first visit at MFA server)
- has a valid mfa challenge within the ttl (12 h)
- has an outdated mfa challenge
Request
đź“„ Expected data fields from client
| Name | Description |
|---|---|
| action | action to perform; one of “check”|“urls” |
| username | user id of logged in user |
| appid | application id from config (given by mfa server) |
| ip | ip address of the user request to the web application |
| request | url path and query string of traget url on mfa server |
| timestamp | timestamp (with milliseconds) |
| token | generated HAMC token using the fields “request” + “timestamp” plus “POST” - encrypted with the application secret (given by the mfa server) |
| useragent | user agent of the user visiting the web aplication |
Response
The response is JSON.
The basic fields are:
| Name | Description |
|---|---|
| status | http status code |
| error | on error: a clear text message (en) |
| message | message text |
Posiible Keys of “check” response:
| Name | Description |
|---|---|
| url | depending on status: url to jump in into mfa server (eg user needs to setup first or can solve a challenge). This field does not exist if the check failed and a user action is not possible. |
Posiible Keys of “urls” response:
| Name | Description |
|---|---|
| setup | url to open users mfa setup page |
| verify | url to solve a challenge |
Process
The next graphic visualizes the process for the action “check” on the api.
