Re: Verifying OTP (using OATH TOTP module) without password

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: Verifying OTP (using OATH TOTP module) without password

Przemyslaw Sempruch
Hi,

Is there any way using REST API to verify user's One Time password with OpenAM having just username and OTP – without password?
We would like to verify that freshly associated user has a right device and that their device produces the right output.


Regards,
Przemek

Follow the Kainos buzz on: Twitter Facebook Linkedin Youtube Sunday Times Top 100

This e-mail is for the intended addressee only and is strictly confidential; if you receive it in error please destroy the message and all copies. Any opinion or information in this email or its attachments that does not relate to Kainos business is personal to the sender and is not endorsed by Kainos. This email has been scanned for viruses but is not guaranteed to be virus free. "Kainos" is the trading name of the Kainos Group of companies; click the link for further information https://www.kainos.com/corporate-information/. Further terms and conditions may be found on our website www.kainos.com


_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Verifying OTP (using OATH TOTP module) without password

Warren Strange


I have heard of this being done.  You need to write a simple auth module that takes only the username. You then stack that in front of the OTP in a chain, and have your REST client call that chain.  You will probably want the "No session" option, so that OpenAM does not create a session - only returns the status.



On Mon, Feb 8, 2016 at 9:41 AM, Przemyslaw Sempruch <[hidden email]> wrote:
Hi,

Is there any way using REST API to verify user's One Time password with OpenAM having just username and OTP – without password?
We would like to verify that freshly associated user has a right device and that their device produces the right output.


Regards,
Przemek

Follow the Kainos buzz on: Twitter Facebook Linkedin Youtube Sunday Times Top 100

This e-mail is for the intended addressee only and is strictly confidential; if you receive it in error please destroy the message and all copies. Any opinion or information in this email or its attachments that does not relate to Kainos business is personal to the sender and is not endorsed by Kainos. This email has been scanned for viruses but is not guaranteed to be virus free. "Kainos" is the trading name of the Kainos Group of companies; click the link for further information https://www.kainos.com/corporate-information/. Further terms and conditions may be found on our website www.kainos.com


_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam




--

Warren

Skype: warren.strange
M:    403-471-7829 
G+ Hangout: [hidden email]

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Verifying OTP (using OATH TOTP module) without password

Nicolas Seigneur
I am not sure this would work, but maybe you could use the anonymous authentication module in front of the OTP module? Looks to me that by allowing the username you want to test, it should return the principal that the OTP module requires?

Nicolas Seigneur
Indigo Consulting Canada

On Mon, Feb 8, 2016 at 11:59 AM, Warren Strange <[hidden email]> wrote:


I have heard of this being done.  You need to write a simple auth module that takes only the username. You then stack that in front of the OTP in a chain, and have your REST client call that chain.  You will probably want the "No session" option, so that OpenAM does not create a session - only returns the status.



On Mon, Feb 8, 2016 at 9:41 AM, Przemyslaw Sempruch <[hidden email]> wrote:
Hi,

Is there any way using REST API to verify user's One Time password with OpenAM having just username and OTP – without password?
We would like to verify that freshly associated user has a right device and that their device produces the right output.


Regards,
Przemek

Follow the Kainos buzz on: Twitter Facebook Linkedin Youtube Sunday Times Top 100

This e-mail is for the intended addressee only and is strictly confidential; if you receive it in error please destroy the message and all copies. Any opinion or information in this email or its attachments that does not relate to Kainos business is personal to the sender and is not endorsed by Kainos. This email has been scanned for viruses but is not guaranteed to be virus free. "Kainos" is the trading name of the Kainos Group of companies; click the link for further information https://www.kainos.com/corporate-information/. Further terms and conditions may be found on our website www.kainos.com


_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam




--

Warren

Skype: warren.strange
M:    <a href="tel:403-471-7829" value="+14034717829" target="_blank">403-471-7829 
G+ Hangout: [hidden email]

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam




--
-------------------------------------------------
Nicolas Seigneur
Indigo Technologies Canada, Inc.
mobile: +1.514.965.4890

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Verifying OTP (using OATH TOTP module) without password

Mark Boyd ソフトウェア 建築家
The OATH module needs to know the username to do its thing. And that is passed via the sharedState map from the module upstream that would collect the username as noted by Warren.

Mark

From: <[hidden email]> on behalf of Nicolas Seigneur <[hidden email]>
Reply-To: Users <[hidden email]>
Date: Monday, February 8, 2016 at 12:57 PM
To: Users <[hidden email]>
Subject: Re: [OpenAM] Verifying OTP (using OATH TOTP module) without password

I am not sure this would work, but maybe you could use the anonymous authentication module in front of the OTP module? Looks to me that by allowing the username you want to test, it should return the principal that the OTP module requires?

Nicolas Seigneur
Indigo Consulting Canada

On Mon, Feb 8, 2016 at 11:59 AM, Warren Strange <[hidden email]> wrote:


I have heard of this being done.  You need to write a simple auth module that takes only the username. You then stack that in front of the OTP in a chain, and have your REST client call that chain.  You will probably want the "No session" option, so that OpenAM does not create a session - only returns the status.



On Mon, Feb 8, 2016 at 9:41 AM, Przemyslaw Sempruch <[hidden email]> wrote:
Hi,

Is there any way using REST API to verify user's One Time password with OpenAM having just username and OTP – without password?
We would like to verify that freshly associated user has a right device and that their device produces the right output.


Regards,
Przemek

Follow the Kainos buzz on: Twitter Facebook Linkedin Youtube Sunday Times Top 100

This e-mail is for the intended addressee only and is strictly confidential; if you receive it in error please destroy the message and all copies. Any opinion or information in this email or its attachments that does not relate to Kainos business is personal to the sender and is not endorsed by Kainos. This email has been scanned for viruses but is not guaranteed to be virus free. "Kainos" is the trading name of the Kainos Group of companies; click the link for further information https://www.kainos.com/corporate-information/. Further terms and conditions may be found on our website www.kainos.com


_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam




--

Warren

Skype: warren.strange
M:    <a href="tel:403-471-7829" value="&#43;14034717829" target="_blank">403-471-7829 
G+ Hangout: [hidden email]

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam




--
-------------------------------------------------
Nicolas Seigneur
Indigo Technologies Canada, Inc.
mobile: +1.514.965.4890

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Verifying OTP (using OATH TOTP module) without password

Przemyslaw Sempruch
In reply to this post by Nicolas Seigneur
Hi,

Thank for your responses! Anonymous module will probably not work as it requires predefined list (Valid Anonymous Users) of users to succeed.
I will try to piggyback off Datastore module with password callback stripped off as a starting point. Does it make sense? Or maybe there is a better example out of all modules available ?

Regards,
Przemek

From: <[hidden email]> on behalf of Nicolas Seigneur <[hidden email]>
Reply-To: Users <[hidden email]>
Date: Monday 8 February 2016 19:57
To: Users <[hidden email]>
Subject: Re: [OpenAM] Verifying OTP (using OATH TOTP module) without password

I am not sure this would work, but maybe you could use the anonymous authentication module in front of the OTP module? Looks to me that by allowing the username you want to test, it should return the principal that the OTP module requires?

Nicolas Seigneur
Indigo Consulting Canada

On Mon, Feb 8, 2016 at 11:59 AM, Warren Strange <[hidden email]> wrote:


I have heard of this being done.  You need to write a simple auth module that takes only the username. You then stack that in front of the OTP in a chain, and have your REST client call that chain.  You will probably want the "No session" option, so that OpenAM does not create a session - only returns the status.



On Mon, Feb 8, 2016 at 9:41 AM, Przemyslaw Sempruch <[hidden email]> wrote:
Hi,

Is there any way using REST API to verify user's One Time password with OpenAM having just username and OTP – without password?
We would like to verify that freshly associated user has a right device and that their device produces the right output.


Regards,
Przemek

Follow the Kainos buzz on: Twitter Facebook Linkedin Youtube Sunday Times Top 100

This e-mail is for the intended addressee only and is strictly confidential; if you receive it in error please destroy the message and all copies. Any opinion or information in this email or its attachments that does not relate to Kainos business is personal to the sender and is not endorsed by Kainos. This email has been scanned for viruses but is not guaranteed to be virus free. "Kainos" is the trading name of the Kainos Group of companies; click the link for further information https://www.kainos.com/corporate-information/. Further terms and conditions may be found on our website www.kainos.com


_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam




--

Warren

Skype: warren.strange
M:    <a href="tel:403-471-7829" value="&#43;14034717829" target="_blank">403-471-7829 
G+ Hangout: [hidden email]

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam




--
-------------------------------------------------
Nicolas Seigneur
Indigo Technologies Canada, Inc.
mobile: +1.514.965.4890

Follow the Kainos buzz on: Twitter Facebook Linkedin Youtube Sunday Times Top 100

This e-mail is for the intended addressee only and is strictly confidential; if you receive it in error please destroy the message and all copies. Any opinion or information in this email or its attachments that does not relate to Kainos business is personal to the sender and is not endorsed by Kainos. This email has been scanned for viruses but is not guaranteed to be virus free. "Kainos" is the trading name of the Kainos Group of companies; click the link for further information https://www.kainos.com/corporate-information/. Further terms and conditions may be found on our website www.kainos.com


_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Verifying OTP (using OATH TOTP module) without password

Mark Boyd ソフトウェア 建築家
If by "password stripped off" you mean simply using javascript to hide that field, the module will fail since it needs the password to verify the user. But you could use that module or the LDAP one as an example and create your own copy that validated that the username matched an existing user without authenticating them and verifying password. And you'd have to inject the username into the shared state map so other modules downstream get it. Then configure a chain that has your custom module followed by the OATH module instance. To use that change you can specify a chain by name in the login URL with a query parameter of "service=" followed by the chain name in the openAM realm against which you are authenticating. That would use that chain and prompt for username from the first module and once submitted would prompt for the OATH OTP via the second module. 

Be careful not to mess with your the root realm's authentication chain specified for admin configuration logins in the realm's authentication tab at the top of the page. You can lock yourself out of OpenAM. Been there. Done that. :-)

Mark

From: <[hidden email]> on behalf of Przemyslaw Sempruch <[hidden email]>
Reply-To: Users <[hidden email]>
Date: Monday, February 8, 2016 at 1:16 PM
To: Users <[hidden email]>
Subject: Re: [OpenAM] Verifying OTP (using OATH TOTP module) without password

Hi,

Thank for your responses! Anonymous module will probably not work as it requires predefined list (Valid Anonymous Users) of users to succeed.
I will try to piggyback off Datastore module with password callback stripped off as a starting point. Does it make sense? Or maybe there is a better example out of all modules available ?

Regards,
Przemek

From: <[hidden email]> on behalf of Nicolas Seigneur <[hidden email]>
Reply-To: Users <[hidden email]>
Date: Monday 8 February 2016 19:57
To: Users <[hidden email]>
Subject: Re: [OpenAM] Verifying OTP (using OATH TOTP module) without password

I am not sure this would work, but maybe you could use the anonymous authentication module in front of the OTP module? Looks to me that by allowing the username you want to test, it should return the principal that the OTP module requires?

Nicolas Seigneur
Indigo Consulting Canada

On Mon, Feb 8, 2016 at 11:59 AM, Warren Strange <[hidden email]> wrote:


I have heard of this being done.  You need to write a simple auth module that takes only the username. You then stack that in front of the OTP in a chain, and have your REST client call that chain.  You will probably want the "No session" option, so that OpenAM does not create a session - only returns the status.



On Mon, Feb 8, 2016 at 9:41 AM, Przemyslaw Sempruch <[hidden email]> wrote:
Hi,

Is there any way using REST API to verify user's One Time password with OpenAM having just username and OTP – without password?
We would like to verify that freshly associated user has a right device and that their device produces the right output.


Regards,
Przemek

Follow the Kainos buzz on: Twitter Facebook Linkedin Youtube Sunday Times Top 100

This e-mail is for the intended addressee only and is strictly confidential; if you receive it in error please destroy the message and all copies. Any opinion or information in this email or its attachments that does not relate to Kainos business is personal to the sender and is not endorsed by Kainos. This email has been scanned for viruses but is not guaranteed to be virus free. "Kainos" is the trading name of the Kainos Group of companies; click the link for further information https://www.kainos.com/corporate-information/. Further terms and conditions may be found on our website www.kainos.com


_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam




--

Warren

Skype: warren.strange
M:    <a href="tel:403-471-7829" value="&amp;#43;14034717829" target="_blank">403-471-7829 
G+ Hangout: [hidden email]

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam




--
-------------------------------------------------
Nicolas Seigneur
Indigo Technologies Canada, Inc.
mobile: +1.514.965.4890

Follow the Kainos buzz on: Twitter Facebook Linkedin Youtube Sunday Times Top 100

This e-mail is for the intended addressee only and is strictly confidential; if you receive it in error please destroy the message and all copies. Any opinion or information in this email or its attachments that does not relate to Kainos business is personal to the sender and is not endorsed by Kainos. This email has been scanned for viruses but is not guaranteed to be virus free. "Kainos" is the trading name of the Kainos Group of companies; click the link for further information https://www.kainos.com/corporate-information/. Further terms and conditions may be found on our website www.kainos.com


_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Verifying OTP (using OATH TOTP module) without password

Przemyslaw Sempruch
Cheers Mark!

From: <[hidden email]> on behalf of Mark Boyd ソフトウェア 建築家 <[hidden email]>
Reply-To: Users <[hidden email]>
Date: Monday 8 February 2016 21:25
To: Users <[hidden email]>
Subject: Re: [OpenAM] Verifying OTP (using OATH TOTP module) without password

If by "password stripped off" you mean simply using javascript to hide that field, the module will fail since it needs the password to verify the user. But you could use that module or the LDAP one as an example and create your own copy that validated that the username matched an existing user without authenticating them and verifying password. And you'd have to inject the username into the shared state map so other modules downstream get it. Then configure a chain that has your custom module followed by the OATH module instance. To use that change you can specify a chain by name in the login URL with a query parameter of "service=" followed by the chain name in the openAM realm against which you are authenticating. That would use that chain and prompt for username from the first module and once submitted would prompt for the OATH OTP via the second module. 

Be careful not to mess with your the root realm's authentication chain specified for admin configuration logins in the realm's authentication tab at the top of the page. You can lock yourself out of OpenAM. Been there. Done that. :-)

Mark

From: <[hidden email]> on behalf of Przemyslaw Sempruch <[hidden email]>
Reply-To: Users <[hidden email]>
Date: Monday, February 8, 2016 at 1:16 PM
To: Users <[hidden email]>
Subject: Re: [OpenAM] Verifying OTP (using OATH TOTP module) without password

Hi,

Thank for your responses! Anonymous module will probably not work as it requires predefined list (Valid Anonymous Users) of users to succeed.
I will try to piggyback off Datastore module with password callback stripped off as a starting point. Does it make sense? Or maybe there is a better example out of all modules available ?

Regards,
Przemek

From: <[hidden email]> on behalf of Nicolas Seigneur <[hidden email]>
Reply-To: Users <[hidden email]>
Date: Monday 8 February 2016 19:57
To: Users <[hidden email]>
Subject: Re: [OpenAM] Verifying OTP (using OATH TOTP module) without password

I am not sure this would work, but maybe you could use the anonymous authentication module in front of the OTP module? Looks to me that by allowing the username you want to test, it should return the principal that the OTP module requires?

Nicolas Seigneur
Indigo Consulting Canada

On Mon, Feb 8, 2016 at 11:59 AM, Warren Strange <[hidden email]> wrote:


I have heard of this being done.  You need to write a simple auth module that takes only the username. You then stack that in front of the OTP in a chain, and have your REST client call that chain.  You will probably want the "No session" option, so that OpenAM does not create a session - only returns the status.



On Mon, Feb 8, 2016 at 9:41 AM, Przemyslaw Sempruch <[hidden email]> wrote:
Hi,

Is there any way using REST API to verify user's One Time password with OpenAM having just username and OTP – without password?
We would like to verify that freshly associated user has a right device and that their device produces the right output.


Regards,
Przemek

Follow the Kainos buzz on: Twitter Facebook Linkedin Youtube Sunday Times Top 100

This e-mail is for the intended addressee only and is strictly confidential; if you receive it in error please destroy the message and all copies. Any opinion or information in this email or its attachments that does not relate to Kainos business is personal to the sender and is not endorsed by Kainos. This email has been scanned for viruses but is not guaranteed to be virus free. "Kainos" is the trading name of the Kainos Group of companies; click the link for further information https://www.kainos.com/corporate-information/. Further terms and conditions may be found on our website www.kainos.com


_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam




--

Warren

Skype: warren.strange
M:    <a href="tel:403-471-7829" value="&amp;#43;14034717829" target="_blank">403-471-7829 
G+ Hangout: [hidden email]

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam




--
-------------------------------------------------
Nicolas Seigneur
Indigo Technologies Canada, Inc.
mobile: +1.514.965.4890

Follow the Kainos buzz on: Twitter Facebook Linkedin Youtube Sunday Times Top 100

This e-mail is for the intended addressee only and is strictly confidential; if you receive it in error please destroy the message and all copies. Any opinion or information in this email or its attachments that does not relate to Kainos business is personal to the sender and is not endorsed by Kainos. This email has been scanned for viruses but is not guaranteed to be virus free. "Kainos" is the trading name of the Kainos Group of companies; click the link for further information https://www.kainos.com/corporate-information/. Further terms and conditions may be found on our website www.kainos.com

Follow the Kainos buzz on: Twitter Facebook Linkedin Youtube Sunday Times Top 100

This e-mail is for the intended addressee only and is strictly confidential; if you receive it in error please destroy the message and all copies. Any opinion or information in this email or its attachments that does not relate to Kainos business is personal to the sender and is not endorsed by Kainos. This email has been scanned for viruses but is not guaranteed to be virus free. "Kainos" is the trading name of the Kainos Group of companies; click the link for further information https://www.kainos.com/corporate-information/. Further terms and conditions may be found on our website www.kainos.com


_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Verifying OTP (using OATH TOTP module) without password

Bernhard Thalmayr
In reply to this post by Mark Boyd ソフトウェア 建築家
as long as you have 'ssoadm' installed, reconfiguring OpenAM so you can
use OpenAM console again is possible ... don't panic ;-).

-Bernhard

Am 08/02/16 um 22:25 schrieb Mark Boyd ソフトウェア 建築家:

> If by "password stripped off" you mean simply using javascript to hide
> that field, the module will fail since it needs the password to verify
> the user. But you could use that module or the LDAP one as an example
> and create your own copy that validated that the username matched an
> existing user without authenticating them and verifying password. And
> you'd have to inject the username into the shared state map so other
> modules downstream get it. Then configure a chain that has your custom
> module followed by the OATH module instance. To use that change you can
> specify a chain by name in the login URL with a query parameter of
> "service=" followed by the chain name in the openAM realm against which
> you are authenticating. That would use that chain and prompt for
> username from the first module and once submitted would prompt for the
> OATH OTP via the second module.
>
> Be careful not to mess with your the root realm's authentication chain
> specified for admin configuration logins in the realm's authentication
> tab at the top of the page. You can lock yourself out of OpenAM. Been
> there. Done that. :-)
>
> Mark
>
> From: <[hidden email]
> <mailto:[hidden email]>> on behalf of Przemyslaw Sempruch
> <[hidden email] <mailto:[hidden email]>>
> Reply-To: Users <[hidden email] <mailto:[hidden email]>>
> Date: Monday, February 8, 2016 at 1:16 PM
> To: Users <[hidden email] <mailto:[hidden email]>>
> Subject: Re: [OpenAM] Verifying OTP (using OATH TOTP module) without
> password
>
> Hi,
>
> Thank for your responses! Anonymous module will probably not work as it
> requires predefined list (Valid Anonymous Users) of users to succeed.
> I will try to piggyback off Datastore module with password callback
> stripped off as a starting point. Does it make sense? Or maybe there is
> a better example out of all modules available ?
>
> Regards,
> Przemek
>
> From: <[hidden email]
> <mailto:[hidden email]>> on behalf of Nicolas Seigneur
> <[hidden email] <mailto:[hidden email]>>
> Reply-To: Users <[hidden email] <mailto:[hidden email]>>
> Date: Monday 8 February 2016 19:57
> To: Users <[hidden email] <mailto:[hidden email]>>
> Subject: Re: [OpenAM] Verifying OTP (using OATH TOTP module) without
> password
>
> I am not sure this would work, but maybe you could use the anonymous
> authentication module in front of the OTP module? Looks to me that by
> allowing the username you want to test, it should return the principal
> that the OTP module requires?
>
> Nicolas Seigneur
> Indigo Consulting Canada
>
> On Mon, Feb 8, 2016 at 11:59 AM, Warren Strange
> <[hidden email] <mailto:[hidden email]>> wrote:
>
>
>
>     I have heard of this being done.  You need to write a simple auth
>     module that takes only the username. You then stack that in front of
>     the OTP in a chain, and have your REST client call that chain.  You
>     will probably want the "No session" option, so that OpenAM does not
>     create a session - only returns the status.
>
>
>
>     On Mon, Feb 8, 2016 at 9:41 AM, Przemyslaw Sempruch
>     <[hidden email] <mailto:[hidden email]>> wrote:
>
>         Hi,
>
>         Is there any way using REST API to verify user's One Time
>         password with OpenAM having just username and OTP – without
>         password?
>         We would like to verify that freshly associated user has a right
>         device and that their device produces the right output.
>
>
>         Regards,
>         Przemek
>
>         Follow the Kainos buzz on: Twitter
>         <https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_kainossoftware&d=CwMGaQ&c=z0adcvxXWKG6LAMN6dVEqQ&r=HxJOk1B0DWBnbHg2bsb9TB2-xzt5wZ9gPthOgxNT6c0&m=s3_KnKjXw-XMXc0829r3GCf4LqjHmg_W0OdI8c2zgjA&s=wzhmdE7oK5abQqq-I4ofud_1F444LT4rZZCb5d4vdfs&e=> Facebook
>         <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.facebook.com_KainosSoftware&d=CwMGaQ&c=z0adcvxXWKG6LAMN6dVEqQ&r=HxJOk1B0DWBnbHg2bsb9TB2-xzt5wZ9gPthOgxNT6c0&m=s3_KnKjXw-XMXc0829r3GCf4LqjHmg_W0OdI8c2zgjA&s=wucNFiqqsH0uhd2qUWftXDpdgurbR5kW8v3zzXJo1Ts&e=> Linkedin
>         <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.linkedin.com_company_kainos&d=CwMGaQ&c=z0adcvxXWKG6LAMN6dVEqQ&r=HxJOk1B0DWBnbHg2bsb9TB2-xzt5wZ9gPthOgxNT6c0&m=s3_KnKjXw-XMXc0829r3GCf4LqjHmg_W0OdI8c2zgjA&s=Gr8_wdUdMepshQW1mQl5j6sVLO-nPuGTIavhm5PKMXQ&e=> Youtube
>         <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.youtube.com_user_KainosSoftware&d=CwMGaQ&c=z0adcvxXWKG6LAMN6dVEqQ&r=HxJOk1B0DWBnbHg2bsb9TB2-xzt5wZ9gPthOgxNT6c0&m=s3_KnKjXw-XMXc0829r3GCf4LqjHmg_W0OdI8c2zgjA&s=WjRNOMS_5hLb0nNRvTXSFancy0X6w0iYNbsioy3iqoM&e=> Sunday
>         Times Top 100
>         <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.kainos.com_kainos-2Drepeats-2Dsuccess-2Dsunday-2Dtimes-2Dbest-2Dcompanies-2Dwork-2Drankings_&d=CwMGaQ&c=z0adcvxXWKG6LAMN6dVEqQ&r=HxJOk1B0DWBnbHg2bsb9TB2-xzt5wZ9gPthOgxNT6c0&m=s3_KnKjXw-XMXc0829r3GCf4LqjHmg_W0OdI8c2zgjA&s=GMpeE_MPtxp4l9CUL9HWPI3qNGQEw8uUTCOc0Uki-ZM&e=>
>
>
>         This e-mail is for the intended addressee only and is strictly
>         confidential; if you receive it in error please destroy the
>         message and all copies. Any opinion or information in this email
>         or its attachments that does not relate to Kainos business is
>         personal to the sender and is not endorsed by Kainos. This email
>         has been scanned for viruses but is not guaranteed to be virus
>         free. "Kainos" is the trading name of the Kainos Group of
>         companies; click the link for further information
>         https://www.kainos.com/corporate-information/
>         <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.kainos.com_corporate-2Dinformation_&d=CwMGaQ&c=z0adcvxXWKG6LAMN6dVEqQ&r=HxJOk1B0DWBnbHg2bsb9TB2-xzt5wZ9gPthOgxNT6c0&m=s3_KnKjXw-XMXc0829r3GCf4LqjHmg_W0OdI8c2zgjA&s=9iQqXZ6OlLL-1eo7jMQG0IkOD7BJ5NGZX_P2kulfzQs&e=>.
>         Further terms and conditions may be found on our website
>         www.kainos.com
>         <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.kainos.com&d=CwMGaQ&c=z0adcvxXWKG6LAMN6dVEqQ&r=HxJOk1B0DWBnbHg2bsb9TB2-xzt5wZ9gPthOgxNT6c0&m=s3_KnKjXw-XMXc0829r3GCf4LqjHmg_W0OdI8c2zgjA&s=DecJXO8kCsXlUWecLq3Vm0_xh461bpQW2_YWz9vp1Wo&e=>
>
>
>
>         _______________________________________________
>         Visit the OpenAM forum at
>         https://forgerock.org/forum/fr-projects/openam/
>         <https://urldefense.proofpoint.com/v2/url?u=https-3A__forgerock.org_forum_fr-2Dprojects_openam_&d=CwMGaQ&c=z0adcvxXWKG6LAMN6dVEqQ&r=HxJOk1B0DWBnbHg2bsb9TB2-xzt5wZ9gPthOgxNT6c0&m=s3_KnKjXw-XMXc0829r3GCf4LqjHmg_W0OdI8c2zgjA&s=u9rjENXwTkVqsKuMayg9hnhPETASFpBmWPU0Gn_UXhU&e=>
>         OpenAM mailing list
>         [hidden email] <mailto:[hidden email]>
>         https://lists.forgerock.org/mailman/listinfo/openam
>         <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.forgerock.org_mailman_listinfo_openam&d=CwMGaQ&c=z0adcvxXWKG6LAMN6dVEqQ&r=HxJOk1B0DWBnbHg2bsb9TB2-xzt5wZ9gPthOgxNT6c0&m=s3_KnKjXw-XMXc0829r3GCf4LqjHmg_W0OdI8c2zgjA&s=VwEPQ4SUUU98bsjrpgV8yRSmTDQobGzcF6I_-4-3ipg&e=>
>
>
>
>
>     --
>
>     Warren
>
>     Skype: warren.strange
>     M:    403-471-7829 <tel:403-471-7829>
>     G+ Hangout: [hidden email] <mailto:[hidden email]>
>
>     _______________________________________________
>     Visit the OpenAM forum at
>     https://forgerock.org/forum/fr-projects/openam/
>     <https://urldefense.proofpoint.com/v2/url?u=https-3A__forgerock.org_forum_fr-2Dprojects_openam_&d=CwMGaQ&c=z0adcvxXWKG6LAMN6dVEqQ&r=HxJOk1B0DWBnbHg2bsb9TB2-xzt5wZ9gPthOgxNT6c0&m=s3_KnKjXw-XMXc0829r3GCf4LqjHmg_W0OdI8c2zgjA&s=u9rjENXwTkVqsKuMayg9hnhPETASFpBmWPU0Gn_UXhU&e=>
>     OpenAM mailing list
>     [hidden email] <mailto:[hidden email]>
>     https://lists.forgerock.org/mailman/listinfo/openam
>     <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.forgerock.org_mailman_listinfo_openam&d=CwMGaQ&c=z0adcvxXWKG6LAMN6dVEqQ&r=HxJOk1B0DWBnbHg2bsb9TB2-xzt5wZ9gPthOgxNT6c0&m=s3_KnKjXw-XMXc0829r3GCf4LqjHmg_W0OdI8c2zgjA&s=VwEPQ4SUUU98bsjrpgV8yRSmTDQobGzcF6I_-4-3ipg&e=>
>
>
>
>
> --
> -------------------------------------------------
> Nicolas Seigneur
> Indigo Technologies Canada, Inc.
> mobile: +1.514.965.4890
> [hidden email] <mailto:[hidden email]>
> www.indigoconsulting.ca
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.indigoconsulting.ca_&d=CwMGaQ&c=z0adcvxXWKG6LAMN6dVEqQ&r=HxJOk1B0DWBnbHg2bsb9TB2-xzt5wZ9gPthOgxNT6c0&m=s3_KnKjXw-XMXc0829r3GCf4LqjHmg_W0OdI8c2zgjA&s=STejLfvhp6g5nXJ5BLede_Lv4BqAMsL475LKuN_OfNo&e=>
>
> Follow the Kainos buzz on: Twitter
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_kainossoftware&d=CwMGaQ&c=z0adcvxXWKG6LAMN6dVEqQ&r=HxJOk1B0DWBnbHg2bsb9TB2-xzt5wZ9gPthOgxNT6c0&m=s3_KnKjXw-XMXc0829r3GCf4LqjHmg_W0OdI8c2zgjA&s=wzhmdE7oK5abQqq-I4ofud_1F444LT4rZZCb5d4vdfs&e=> Facebook
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.facebook.com_KainosSoftware&d=CwMGaQ&c=z0adcvxXWKG6LAMN6dVEqQ&r=HxJOk1B0DWBnbHg2bsb9TB2-xzt5wZ9gPthOgxNT6c0&m=s3_KnKjXw-XMXc0829r3GCf4LqjHmg_W0OdI8c2zgjA&s=wucNFiqqsH0uhd2qUWftXDpdgurbR5kW8v3zzXJo1Ts&e=> Linkedin
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.linkedin.com_company_kainos&d=CwMGaQ&c=z0adcvxXWKG6LAMN6dVEqQ&r=HxJOk1B0DWBnbHg2bsb9TB2-xzt5wZ9gPthOgxNT6c0&m=s3_KnKjXw-XMXc0829r3GCf4LqjHmg_W0OdI8c2zgjA&s=Gr8_wdUdMepshQW1mQl5j6sVLO-nPuGTIavhm5PKMXQ&e=> Youtube
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.youtube.com_user_KainosSoftware&d=CwMGaQ&c=z0adcvxXWKG6LAMN6dVEqQ&r=HxJOk1B0DWBnbHg2bsb9TB2-xzt5wZ9gPthOgxNT6c0&m=s3_KnKjXw-XMXc0829r3GCf4LqjHmg_W0OdI8c2zgjA&s=WjRNOMS_5hLb0nNRvTXSFancy0X6w0iYNbsioy3iqoM&e=> Sunday
> Times Top 100
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.kainos.com_kainos-2Drepeats-2Dsuccess-2Dsunday-2Dtimes-2Dbest-2Dcompanies-2Dwork-2Drankings_&d=CwMGaQ&c=z0adcvxXWKG6LAMN6dVEqQ&r=HxJOk1B0DWBnbHg2bsb9TB2-xzt5wZ9gPthOgxNT6c0&m=s3_KnKjXw-XMXc0829r3GCf4LqjHmg_W0OdI8c2zgjA&s=GMpeE_MPtxp4l9CUL9HWPI3qNGQEw8uUTCOc0Uki-ZM&e=>
>
>
> This e-mail is for the intended addressee only and is strictly
> confidential; if you receive it in error please destroy the message and
> all copies. Any opinion or information in this email or its attachments
> that does not relate to Kainos business is personal to the sender and is
> not endorsed by Kainos. This email has been scanned for viruses but is
> not guaranteed to be virus free. "Kainos" is the trading name of the
> Kainos Group of companies; click the link for further information
> https://www.kainos.com/corporate-information/. Further terms and
> conditions may be found on our website www.kainos.com
>
>
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam