OTRS REST API With Two Factor Authentication

Moderator: crythias

Post Reply
netoruben
Znuny newbie
Posts: 4
Joined: 29 Mar 2021, 05:05
Znuny Version: 6.0.30
Real Name: Rúben Neto

OTRS REST API With Two Factor Authentication

Post by netoruben »

Hello, I've setup an api and in the url parameters I pass CustomerUserLogin or UserLogin and Password and it works perfectly.

But now I've also setup TwoFactorAuthentication for some of my users and I want to authenticate with the api. I'ev tried a paremeter TwoFactorToken but it didn't work.

If someone knows how to authenticate with the TwoFactorAuthentication. Please let me know.
Thanks.
Image
crythias
Moderator
Posts: 10169
Joined: 04 May 2010, 18:38
Znuny Version: 5.0.x
Location: SouthWest Florida, USA
Contact:

Re: OTRS REST API With Two Factor Authentication

Post by crythias »

in the url parameters I pass CustomerUserLogin or UserLogin and Password and it works perfectly.
I'd strongly recommend some other way of passing authorized creds. Or at least trusting the source of the creds so you can accept the username and maybe a keyhash instead of a plaintext password.
But now I've also setup TwoFactorAuthentication for some of my users and I want to authenticate with the api.
My suggestion would be to ignore the MFA in the api or make sure the MFA works in the source authentication.

There are a lot of missing pieces to discuss to get this to be proper for your implementation. You are showing us in your screenshot how insecure your app is in the first place. There is never any good reason a password should be visible in a URI/URL.
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
netoruben
Znuny newbie
Posts: 4
Joined: 29 Mar 2021, 05:05
Znuny Version: 6.0.30
Real Name: Rúben Neto

Re: OTRS REST API With Two Factor Authentication

Post by netoruben »

You are showing us in your screenshot how insecure your app is in the first place.
I understand it is insecure, I am just testing, but if wanted what methods for authentication does OTRS provide, can I send a JSON body with the information, oAuth or do with headers Authorization Basic or a token??
My suggestion would be to ignore the MFA in the api or make sure the MFA works in the source authentication.
Is there a setting to disable MFA for the api in OTRS?
crythias
Moderator
Posts: 10169
Joined: 04 May 2010, 18:38
Znuny Version: 5.0.x
Location: SouthWest Florida, USA
Contact:

Re: OTRS REST API With Two Factor Authentication

Post by crythias »

Among other methods, I'd lean toward the HTTPBasicAuth and then focus on the web server's authentication.
https://doc.otrs.com/doc/manual/admin/6 ... h-backends

It really depends on what is the source of the data. I'm personally using AzureAD with Auth0 for SSO. Although I've also used Kerberos. But in both cases I've changed authentication to HTTPBasicAuth and focused on external authentication.

https://doc.otrs.com/doc/manual/admin/6 ... .12.10.7.4

viewtopic.php?f=60&t=42397

But this doesn't necessarily address the API part of it (except the idea that the API is available through the web interface).

I may not be the best source of information on this, so if you don't hear from me, it's just because I don't hang out too much here. Maybe someone else might be able to assist.
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
netoruben
Znuny newbie
Posts: 4
Joined: 29 Mar 2021, 05:05
Znuny Version: 6.0.30
Real Name: Rúben Neto

Re: OTRS REST API With Two Factor Authentication

Post by netoruben »

crythias wrote: 27 Apr 2021, 19:48 Among other methods, I'd lean toward the HTTPBasicAuth and then focus on the web server's authentication.
https://doc.otrs.com/doc/manual/admin/6 ... h-backends

It really depends on what is the source of the data. I'm personally using AzureAD with Auth0 for SSO. Although I've also used Kerberos. But in both cases I've changed authentication to HTTPBasicAuth and focused on external authentication.

https://doc.otrs.com/doc/manual/admin/6 ... .12.10.7.4

viewtopic.php?f=60&t=42397

But this doesn't necessarily address the API part of it (except the idea that the API is available through the web interface).

I may not be the best source of information on this, so if you don't hear from me, it's just because I don't hang out too much here. Maybe someone else might be able to assist.
Thanks for the help.

Any idea on how to disable/ignore MFA for the api, is there any configuration I can do in the web service or in system configuration?
root
Administrator
Posts: 3931
Joined: 18 Dec 2007, 12:23
Znuny Version: Znuny and Znuny LTS
Real Name: Roy Kaldung
Company: Znuny
Contact:

Re: OTRS REST API With Two Factor Authentication

Post by root »

Hi,

You should be able to use an additional AuthModule without 2FA to solve this. Znuny / OTRS uses only 2FA if there is a matching module configured for the AuthModule.

- AuthModule needs AuthTwoFactorModule
- AuthModule1 needs AuthTwoFactorModule1
- ...

- Roy
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

Use a test system - always.

Do you need professional services? Check out https://www.znuny.com/

Do you want to contribute or want to know where it goes ?
netoruben
Znuny newbie
Posts: 4
Joined: 29 Mar 2021, 05:05
Znuny Version: 6.0.30
Real Name: Rúben Neto

Re: OTRS REST API With Two Factor Authentication

Post by netoruben »

root wrote: 28 Apr 2021, 08:50 Hi,

You should be able to use an additional AuthModule without 2FA to solve this. Znuny / OTRS uses only 2FA if there is a matching module configured for the AuthModule.

- AuthModule needs AuthTwoFactorModule
- AuthModule1 needs AuthTwoFactorModule1
- ...

- Roy
Thanks, I got it working. :D
AESPINO
Znuny newbie
Posts: 1
Joined: 06 Jul 2018, 22:46
Znuny Version: 4.11.1

Re: OTRS REST API With Two Factor Authentication

Post by AESPINO »

Hola, Como estan? tambien me esta pasando lo mismo tras implementacion de Two Factor. Me podrian dar mas detalle de la solucion que encontraron ? Desde ya muchas gracias.

Cabe destacar que antes de la implementacion del Two Factor, usaba este codigo el cual funcionaba perfectamente...

$body = "{ `"UserLogin`": `"$UserName`", `"Password`": `"$Password`", `"ConfigItem`": { `"Class`": `"Servidores Virtuales`", `"Name`": `"*$NameCsv*`" }}"

CODIGO CON ERROR.

$body = "{ `"UserLogin`": `"$UserName`", `"Password`": `"$Password`", `"TwoFactorToken`": `"$pin`", `"ConfigItem`": { `"Class`": `"Servidores Virtuales`", `"Name`": `"*$NameCsv*`" }}"
You do not have the required permissions to view the files attached to this post.
Post Reply