1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
|
..
Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with the License. You may obtain
a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
License for the specific language governing permissions and limitations
under the License.
===================================
Time-based One-time Password (TOTP)
===================================
Configuring TOTP
================
TOTP is not enabled in Keystone by default. To enable it add the ``totp``
authentication method to the ``[auth]`` section in ``keystone.conf``:
.. code-block:: ini
[auth]
methods = external,password,token,oauth1,totp
For a user to have access to TOTP, he must have configured TOTP credentials in
Keystone and a TOTP device (i.e. `Google Authenticator`_).
.. _Google Authenticator: http://www.google.com/2step
TOTP uses a base32 encoded string for the secret. The secret must be at least
148 bits (16 bytes). The following python code can be used to generate a TOTP
secret:
.. code-block:: python
import base64
message = '1234567890123456'
print base64.b32encode(message).rstrip('=')
Example output::
GEZDGNBVGY3TQOJQGEZDGNBVGY
This generated secret can then be used to add new 'totp' credentials to a
specific user.
Create a TOTP credential
------------------------
Create ``totp`` credentials for user:
.. code-block:: bash
USER_ID=b7793000f8d84c79af4e215e9da78654
SECRET=GEZDGNBVGY3TQOJQGEZDGNBVGY
curl -i \
-H "Content-Type: application/json" \
-d '
{
"credential": {
"blob": "'$SECRET'",
"type": "totp",
"user_id": "'$USER_ID'"
}
}' \
http://localhost:5000/v3/credentials ; echo
Google Authenticator
--------------------
On a device install Google Authenticator and inside the app click on 'Set up
account' and then click on 'Enter provided key'. In the input fields enter
account name and secret. Optionally a QR code can be generated programatically
to avoid having to type the information.
QR code
-------
Create TOTP QR code for device:
.. code-block:: python
import qrcode
secret='GEZDGNBVGY3TQOJQGEZDGNBVGY'
uri = 'otpauth://totp/{name}?secret={secret}&issuer={issuer}'.format(
name='name',
secret=secret,
issuer='Keystone')
img = qrcode.make(uri)
img.save('totp.png')
In Google Authenticator app click on 'Set up account' and then click on 'Scan
a barcode', and then scan the 'totp.png' image. This should create a new TOTP
entry in the application.
Authenticate with TOTP
======================
Google Authenticator will generate a 6 digit PIN (passcode) every few seconds.
Use the passcode and your user ID to authenticate using the ``totp`` method.
Tokens
------
Get a token with default scope (may be unscoped) using totp:
.. code-block:: bash
USER_ID=b7793000f8d84c79af4e215e9da78654
PASSCODE=012345
curl -i \
-H "Content-Type: application/json" \
-d '
{ "auth": {
"identity": {
"methods": [
"totp"
],
"totp": {
"user": {
"id": "'$USER_ID'",
"passcode": "'$PASSCODE'"
}
}
}
}
}' \
http://localhost:5000/v3/auth/tokens ; echo
|