MFA / API Documentation
The majority of the below code can be reviewed in InstallPath\SelfServiceSite\assets\self-service-portal-****randomguid***.js if clarification is needed.
Return of user enrolled methods GET
The path: https://servername.fqdn.etc/api/v1/users/, followed by the username/domain (https://servername.fqdn.etc/api/v1/users/epsilon/2faone) could return JSON data similar to what is shown below:
{ "data":{ "type":"user", "userId":6, "username":"epsilon", "domain":"2FAONE", "authMethods"{ { "type":"authMethod", "authMethodId":2, "displayName":"AD", "pinRequired":false, "pinLabel":""}, { "type":"authMethod", "authMethodId":10, "displayName":"OTP", "pinRequired":false, "pinLabel":"PIN"}, { "type":"authMethod", "authMethodId":11, "displayName":"PingMe", "pinRequired":false, "pinLabel":"" } ] } }
UserID being their UserID in our database. AuthMethods returned are only the available enrolled auth methods, any non enrolled methods are omitted.
Curl Example for user 2faone\conroe
curl -X GET \ https://dev.cloud.2fa.com/api/v1/users/conroe/2faone \ -H 'Postman-Token: 131472dc-7e45-4a21-9a7d-f73354d33bfe' \ -H 'cache-control: no-cache'Response --- 200 OK { "data": { "type": "user", "userId": 80, "username": "conroe", "domain": "2FAONE", "authMethods": [ { "type": "authMethod", "authMethodId": 2, "authProfileId": 0, "displayName": "AD", "pinRequired": false, "pinLabel": "" }, { "type": "authMethod", "authMethodId": 10, "authProfileId": 13, "displayName": "OTP", "pinRequired": true, "pinLabel": "PIN" }, { "type": "authMethod", "authMethodId": 11, "authProfileId": 0, "displayName": "PingMe", "pinRequired": false, "pinLabel": "" }, { "type": "authMethod", "authMethodId": 15, "authProfileId": 12, "displayName": "FIDO", "pinRequired": true, "pinLabel": "PIN" } ] } }
Note
NOTE: The information for all active users in the database will be returned. The default authentication set and a userID outside of the range of existing IDs will be returned for any nonexistent users.
Authenticate a User to Generate an AuthToken
https://servername/api/v1/authenticate/<methodID>
Currently Supported Method IDs:
1 RapidIdentity Password
2 AD
6 Contactless Card
10 OTP
11 PingMe
15 FIDO
Body
{ "userId": “<the user id received from the api/v1/user call>", "methodId": “<the method id as listed above>", "firstData": “<whatever is the default auth data required, e.g. card number, bio template, etc. - for PingMe it can just be an empty string or put in the words “PingMe">", "secondData": “<whatever is the second factor required, if required, e.g. PIN - for PingMe it can just be an empty string or put in the words “PingMe”>" } Response 200 OK { "data": { "type": "authToken", "authToken": "<example string21176a8a-9738-4997-ad75-68c3a6a59772>", "userId": 80 } }
Curl Examples
Example for Password
curl -X POST \ https://dev.cloud.2fa.com/api/v1/authenticate \ -H 'Content-Type: application/json' \ -H 'Postman-Token: ca71d64e-0739-4ba5-8ead-0cc30005c8b9' \ -H 'cache-control: no-cache' \ -d '{"userId":"80", "methodId": "2", "firstData":"<string>", "secondData":"" }'
Example Authenticate Card
curl -X POST \ https://dev.cloud.2fa.com/api/v1/authenticate \ -H 'Content-Type: application/json' \ -H 'Postman-Token: fb50f1db-3ad7-4188-ad40-43783568db6e' \ -H 'cache-control: no-cache' \ -d '{"userId":"80", "methodId": "6", "firstData":"049D651AB95380", "secondData":"124578" }'
Method ID 6 = contactless
firstData = CUID of card submitted as read by Active X plugin
secondData = user pin submitted if required. Leave blank if no PIN required
Example Authenticate PING
curl -X POST \ https://dev.cloud.2fa.com/api/v1/authenticate \ -H 'Content-Type: application/json' \ -H 'Postman-Token: 0a802514-f7b7-42d9-8d7f-3ff35f7b1ae8' \ -H 'cache-control: no-cache' \ -d '{"userId":"80", "methodId": "11", "firstData":"PingMe", "secondData":"" }'
firstData will be static PingMe
SecondData = is user PIN.
If no PIN is submitted, ping will automatically send. If PIN is submitted incorrectly, no PING will be sent and 403 will return.
Example for OTP
curl -X POST \ https://dev.cloud.2fa.com/api/v1/authenticate \ -H 'Content-Type: application/json' \ -H 'Postman-Token: c1c5cf29-cb58-4f65-a0e1-0d6b41982c83' \ -H 'cache-control: no-cache' \ -d '{"userId":"80", "methodId": "10", "firstData":"4312765", "secondData":"" }'
firstData is users OTP or a valid auth tokenSecond data is user PIN -- not required for AuthCode
Ex Authenticate RapidIdentity password
curl -X POST \ https://dev.cloud.2fa.com/api/v1/authenticate \ -H 'Content-Type: application/json' \ -H 'Postman-Token: 0fbb8de1-76be-4352-9f7c-3f8b4e8a089f' \ -H 'cache-control: no-cache' \ -d '{"userId":"1", "methodId": "1", "firstData":"<string>", "secondData":"" }'
GET Credential
When authenticated with AuthToken, should return users enrolled credentials with device IDs. This can be used to display all enrolled devices for a user. Headers must include a valid userID and AuthToken combination.
curl -X GET \ https://dev.cloud.2fa.com/api/v1/credentials \ -H 'Content-Type: application/json' \ -H 'Postman-Token: 1ea78200-3ecc-480d-8070-90da1ded2ba9' \ -H 'authToken: 0b05c0b2-0372-4c7c-a787-6a5c2f987fb5' \ -H 'cache-control: no-cache' \ -H 'userID: 80'
Response 200 OK
Example for Response
[ { "type": "credential", "authMethodId": 2, "deviceId": 80, "displayName": "2FAONE\\conroe", "credentialData": "" }, { "type": "credential", "authMethodId": 10, "deviceId": 10039, "displayName": "5568ef96b1a81528", "credentialData": "Soft Token" }, { "type": "credential", "authMethodId": 10, "deviceId": 61603, "displayName": "1113", "credentialData": "Hard Token" }, { "type": "credential", "authMethodId": 15, "deviceId": 80186, "displayName": "Gorp", "credentialData": "" } ]
Deleting User Credentials
HTTPDELETE
servername/api/v1/credentials/<methodID>/<deviceID>
Valid userID and AuthToken must be submitted in headers
Method ID and Device ID can be retrieved from /credentials GET
BODY should be empty
Response 200 OK
{ "data": [ { "type": "credential", "authMethodId": <methodID>, "deviceId": <deviceID>, "displayName": "<string>", "credentialData": "Soft Token" } ] } Above data is returned if additional deviceIDs of same method exist OR If no other devices of same method ID exist { "data": [] } curl -X DELETE \ https://dev.cloud.2fa.com/api/v1/credentials/10/61603 \ -H 'Content-Type: application/json' \ -H 'Postman-Token: 1d0eb191-39e5-40f1-b375-ddd88e33bcdd' \ -H 'authToken: 4b607dc7-4f7f-4216-976d-76b107209d13' \ -H 'cache-control: no-cache' \ -H 'userID: 80' \ -d ' '
Manually nullify Auth Token -- POST
Post to api/v1/authenticate/logout with userId and authToken to kill in header
Auth token expiration apllies otherwise from Database Settings table
dbo.Settings
AuthTokenAbsoluteExpirationTime = time in seconds until authtoken is invalidated regardless of inactivity
AuthTokenExpirationTime = time in seconds until authtoken is invalidated due to inactivity
Enroll a credential -- POST
api/v1/credentials/methodID
Example for Contactless
api/v1/credentials/6
{ "userId": 80, "methodId": 6, "credData": { "cuid": "049d651ab95380AAAA", "pin" : "1245", "label": "HereisFre"} }
Cuid = cuid of card as read by Active X Plugin
Pin = user PIN to be submitted
Note
If omitted and UseGlobalPIN = true in Settings table, pin set in user’s OTP data will be automatically submitted as the PIN.
Label = Users choice for card name, may be left blank
GET /api/v1/credentials/6 HTTP/1.1
Host: dev.cloud.2fa.com
authToken: 21176a8a-9738-4997-ad75-68c3a6a59772
userID: 80
Content-Type: application/json
cache-control: no-cache
Postman-Token: 0d7ed2e7-aea0-4eba-8d44-2732d9448291
{ "userId": 80, "methodId": 6, "credData": { "cuid": "049d651ab95380AAAA", "pin" : "1245", "label": "HereisFre"} }------WebKitFormBoundary7MA4YWxkTrZu0gW--
Enroll OTP
{ "userId": “80”, "methodId": "10", "credData": { "serial": “<serialnumberOfOTP”, "otp1": “111222”, "otp2": “222333”, "pin": “1245” }
curl -CX POST\
https://dev.cloud.2fa.com/api/v1/credentials/10 \ -H 'Content-Type: application/json' \ -H 'Postman-Token: d7ada9ac-7f0c-4109-a94c-fa7b797dd32d' \ -H 'authToken: ae6494a4-3899-4293-a130-4a00cf3fd259' \ -H 'cache-control: no-cache' \ -H 'userID: 80' \ -d '{ "userId": “80”, "methodId": "10", "credData": { "serial": “<serialnumberOfOTP”, "otp1": “111222”, "otp2": “222333”, "pin": “1245” } '
Response 200 OK
Or
Response 400 Bad Request
{ "Message": "Could not process request" }
Indicates that OTPs submitted failed to validate
Return Custom Links
Using the self-service APIs, after a user has a authenticated login, call /users/customlinks. If the user is in an admin-type role then the response will include an URL to the admin portal and a label.
Examples of admin-type roles
Manage_Authentication_Methods, Manage_Authentication_Sets, Manage_Roles, Manage_Users, Manage_Reports, Manage_Clients, or Configure_CM
Example response to /users/customlinks
{ “data”:[ { “url”:“https://mfaqa.cloud.2fa.com/ONE/admin_portal/validateAuthToken.aspx?token=dd60e583-cadb-47f5-8182-f6fbbd599d71&id=1“, “label”:“Admin Portal” } ] }
submit USERID and AuthToken headers
curl -X GET \ https://dev.cloud.2fa.com/api/v1/users/customlinks \ -H 'Content-Type: application/json' \ -H 'Postman-Token: bd6f5cb7-025d-4902-aa9d-802679c0aae7' \ -H 'authToken: 01f25269-7e5e-4589-a741-39f5e932abcc' \ -H 'cache-control: no-cache' \ -H 'userID: 1'
Response 200 OK
{ "data": [ { "url": "https://dev.cloud.2fa.com/ONE/admin_portal/validateAuthToken.aspx?token=01f25269-7e5e-4589-a741-39f5e932abcc&id=1", "label": "Admin Portal" } ] }
Note
Above response reads Admin Portal URL from dbo.Settings and provide link allows user to login directly to Admin portal
Response 403 Forbidden
Auth token is invalid for userID provided