OCSManager Authentication¶

• OCSManager Authentication
• Authentication
• Phase 1: Token
• Token Request
• Token Reply
• Error payload
• Phase 2: Login
• Login Request
• Login Reply
• Error payload
• Security notes

Authentication¶

Phase 1: Token¶

The client initiates a connection on the token service of the authentication controller and recieves the salt of the SSHA password and random generated tokens.

Token Request¶

• POST https://127.0.0.1:5000/services/authenticate/token
  

  <?xml version='1.0' encoding='utf-8'?>
  <ocsmanager>
  <login>username</login>
  </ocsmanager>
  

Token Reply¶

<?xml version='1.0' encoding='utf-8'?>
<ocsmanager>
  <token type="salt">46QC8AELdE2FvEFsRzz--zzTC9Y=</token>
  <salt>mYvF3Q==</salt>
  <ttl>10</ttl>
</ocsmanager>

The xml nodes returned in the reply are:

• token is the base64 encoded token used to hash the login:ssha:token2 during the login phase. It is the salt of the payload sent within next request
• salt is the base64 encoded salt of the SSHA password that matches the user account
• ttl is the time to live for current session

Error payload¶

If an invalid or missing XML payload is supplied, or if the login parameter or text is missing, the following XML is returned:

<?xml version='1.0' encoding='utf-8'?>
<ocsmanager>
  <error code="417">Invalid Parameter</error>
</ocsmanager>

Phase 2: Login¶

The client now creates a new salted hash that computes:

• login: username specified in the token request
• salted password hash: ssha the password using the salt parameter
• token2 salt: the random hash returned in previous reply

The hash is login:sshaPassword:token2 salt which is then salted using token2 and ssha:

sshaPassword = ssha(password, salt)
hash = "%s:%s:%s" % (login, sshaPassword, token2)
token = ssha(hash,token2)

Login Request¶

• PUT https://127.0.0.1:5000/services/authenticate/login
  

  <?xml version='1.0' encoding='utf-8'?>
  <ocsmanager>
    <token>58d01333cafb4b34713a289c72d4703963ab5ba1</token>
  </ocsmanager>
  

Login Reply¶

<?xml version='1.0' encoding='utf-8'?>
<ocsmanager>
  <token>65525b7e49af4f4c0ab1781eba2db3814a94a5ea</token>
  <ttl>10</ttl>
</ocsmanager>

The xml nodes returned in the reply are:

• token: the session token to use within our cookie in all forthcoming requests
• ttl: time to live

Error payload¶

If an incorrect username or password is supplied, the following XML is returned:

<?xml version='1.0' encoding='utf-8'?>
<ocsmanager>
  <error code="401">Invalid Username or Password</error>
</ocsmanager>

If an incorrect token is supplied (or missing), the following XML is returned:

<?xml version='1.0' encoding='utf-8'?>
<ocsmanager>
  <error code="472">Invalid Token</error>
</ocsmanager>

Security notes¶

1: Token phase (1) MUST return a salt even if the username doesn't exist. This force the application to complete the authentication process and prevent from information disclosure about existing/non-existing users.