Software /
code /
prosody-modules
Comparison
mod_auth_token/README.markdown @ 2960:b8834fec4b7e
Rename to README.markdown
author | JC Brand <jc@opkode.com> |
---|---|
date | Wed, 28 Mar 2018 00:02:37 +0200 |
parent | 2956:mod_auth_token/README.md@d0ca211e1b0e |
child | 3471:b4bcb84997e7 |
comparison
equal
deleted
inserted
replaced
2959:731fbefaabaf | 2960:b8834fec4b7e |
---|---|
1 # mod_auth_token | |
2 | |
3 This module enables Prosody to authenticate time-based one-time-pin (TOTP) HMAC tokens. | |
4 | |
5 This is an alternative to "external authentication" which avoids the need to | |
6 make a blocking HTTP call to the external authentication service (usually a web application backend). | |
7 | |
8 Instead, the application generates the HMAC token, which is then sent to | |
9 Prosody via the XMPP client and Prosody verifies the authenticity of this | |
10 token. | |
11 | |
12 If the token is verified, then the user is authenticated. | |
13 | |
14 ## How to generate the token | |
15 | |
16 You'll need a shared OTP_SEED value for generating time-based one-time-pin | |
17 values and a shared private key for signing the HMAC token. | |
18 | |
19 You can generate the OTP_SEED value with Python, like so: | |
20 | |
21 >>> import pyotp | |
22 >>> pyotp.random_base32() | |
23 u'XVGR73KMZH2M4XMY' | |
24 | |
25 and the shared secret key as follows: | |
26 | |
27 >>> import pyotp | |
28 >>> pyotp.random_base32(length=32) | |
29 u'JYXEX4IQOEYFYQ2S3MC5P4ZT4SDHYEA7' | |
30 | |
31 These values then need to go into your Prosody.cfg file: | |
32 | |
33 token_secret = "JYXEX4IQOEYFYQ2S3MC5P4ZT4SDHYEA7" | |
34 otp_seed = "XVGR73KMZH2M4XMY" | |
35 | |
36 The application that generates the tokens also needs access to these values. | |
37 | |
38 For an example on how to generate a token, take a look at the `generate_token` | |
39 function in the `test_token_auth.lua` file inside this directory. | |
40 | |
41 ## Custom SASL auth | |
42 | |
43 This module depends on a custom SASL auth mechanism called X-TOKEN and which | |
44 is provided by the file `mod_sasl_token.lua`. | |
45 | |
46 Prosody doesn't automatically pick up this file, so you'll need to update your | |
47 configuration file's `plugin_paths` to link to this subdirectory (for example | |
48 to `/usr/lib/prosody-modules/mod_auth_token/`). |