|
Liberator Auth API
6.2.25.313361
|
 |
|
Liberator Auth API
6.2.25.313361
|
|
Functions | |
| int | auth_verify_signature_username (char *expected_username, char *token) |
| Verify that the supplied token is for the expected username. More... | |
| int | signature_check (char *key_id, char *token) |
| Provides a mechanism for validating a KeyMaster-generated encrypted single-use token. More... | |
The Caplin KeyMaster generates single-use encrypted tokens that are used as the client login password to the Liberator. The KeyMaster uses a private key to encrypt the token and the Liberator holds the corresponding public key that is used for decryption. This ensures that only the KeyMaster could possibly generate a valid token that is used for login. When the KeyMaster server is protected behind a single-signon system this allows the Liberator to use the same single signon mechanism without the need for direct connection to the signon database or back-end system.
The Liberator Auth API provides a mechanism for validating these tokens by using the signature_check() function.
If a user is known to be presenting a KeyMaster token as a password during login, then a call to this method will cause the Liberator to check the validity of the token. This return value can then be used as the return to the _authfuncs::new_user() function.
| int auth_verify_signature_username | ( | char * | expected_username, |
| char * | token | ||
| ) |
Verify that the supplied token is for the expected username.
| expected_username | - The expected username |
| token | - The supplied token |
| AUTH_DENY | - The username does not match that in the token. |
| AUTH_OK | - The username does match that in the token. |
| int signature_check | ( | char * | key_id, |
| char * | token | ||
| ) |
Provides a mechanism for validating a KeyMaster-generated encrypted single-use token.
The token is usually provided during a _authfuncs::new_user() call as the password parameter. This function can then be used to check that the provided token is valid.
The key_id parameter is used to uniquely identify which key the Liberator should use when decrypting the token (this matches the corresponding key-id option within the add-sigkey section of the Liberator configuration file
The Liberator may be configured to use multiple decryption keys, which are uniquely identified by the key-id option.
| key_id | KeyMaster key identifier |
| token | KeyMaster token |
| AUTH_INVALID_USER | - The supplied identifier does not match any configured. |
| AUTH_DENY | - The supplied token was invalid |
| AUTH_USER_LC_EXCEEDED | - The token supplied has already been used to log in. |
| AUTH_OK | - Authorisation succeeded |
