The request needs to contain a valid PI-Authorization header.

[cartenca]

I'm using PHP cURL API request to "GET /validate/triggerchallenge".

In your API documentation It is written that "The request needs to contain a valid PI-Authorization header."
What does it mean?

I use this php code
TO RETRIVE TOKEN (and this is correct and it works):

            $data = array("username" => "admin", "password" => "..........................");                                                                    
					$data_string = json_encode($data);                                                                                                                                                                                        
					$ch = curl_init('https://.................................../auth');                                                                      
					curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "POST");                                                                     
					curl_setopt($ch, CURLOPT_POSTFIELDS, $data_string);                                                                  
					curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);                                                                      
					curl_setopt($ch, CURLOPT_HTTPHEADER, array(                                                                          
					   'Content-Type: application/json',                                                                                
					   'Content-Length: ' . strlen($data_string))                                                                       
					);                                                                                                                                                                                                                
					$result = curl_exec($ch);
					var_dump(json_decode($result));
                    
					$obj = json_decode($result);
					$tkn = $obj->{'result'}->{'value'}->{'token'};
					curl_close($ch);

TO PERFOM triggerchallenge:

 $data = array("user" => "$user");                                                                    
					$data_string = json_encode($data);                                                                                                                                                                                           
					$ch = curl_init('https://................../validate/triggerchallenge');                                                                      
					curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "GET");                                                                     
					curl_setopt($ch, CURLOPT_POSTFIELDS, $data_string);                                                                  
					curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);                                                                      
					curl_setopt($ch, CURLOPT_HTTPHEADER, array(                                                                          
					   'Content-Type: application/json',       
					   'Authorization: OAuth $tkn',                                                                         
					   'Content-Length: ' . strlen($data_string))                                                                       
					);                                                                                                                                                                                                                
					$result = curl_exec($ch);
					var_dump(json_decode($result));
					curl_close($ch);

but I receive : 'Authentication failure. Error during decoding your token: Not enough segments'
Could you help me please?

One more thing....
Is it possible to retrive, with an API, the OTP code sends to user by the triggerchallenge above?
I have to use the OTP code to encrypt a file so that the user can decrypt it with the same OTP code sent to him by privacyidea.
Thank you very much!

Carlo

[github-actions]

Thank you for filing an issue and sharing your observations or ideas. Please be sure to provide as many information as possible to help us working on this issue.

[cornelinux]

We do not real OAuth, so you need to pass the Authorization header a bit different:

curl_setopt($ch, CURLOPT_HTTPHEADER, array(
					   'Content-Type: application/json',
					   'Authorization: $tkn',
					   'Content-Length: ' . strlen($data_string))
);

Since in certain cases there can be clashes with other Authorization headers, we also parse for our own header and you can do it this way:

curl_setopt($ch, CURLOPT_HTTPHEADER, array(
					   'Content-Type: application/json',
					   'PI-Authorization: $tkn',
					   'Content-Length: ' . strlen($data_string))
					);   

[cartenca]

Thank you.
What about my second question?

Is it possible to get, with an API, the OTP code sends to user by the triggerchallenge above?
I have to use the OTP code to encrypt a file so that the user can decrypt it with the same OTP code sent to him by privacyidea.
Thank you very much!

Carlo

[cartenca]

I GET the same error.....

Screen:

object(stdClass)[1]
public 'jsonrpc' => string '2.0' (length=3)
public 'signature' => string '21395922826955434680144180307377356453340533425273030970429355117596273017722969180939741404597431018389192348281789774970954328289420302600379125975660355428141898476682241967046009667911999053799124845888692567381609884719239266402378915150253711899445487827207578369816275650987658372202295939595054714898577966653366304150424284565483346759265256097115195646776587359796703029678262438564173459189302796977907437296112652713882796458831956880390164858947495215819542778620285794666993985129298933565795522902'... (length=617)
public 'versionnumber' => string '2.23.5' (length=6)
public 'version' => string 'privacyIDEA 2.23.5' (length=18)
public 'result' =>
object(stdClass)[2]
public 'status' => boolean true
public 'value' =>
object(stdClass)[3]
public 'username' => string 'admin' (length=5)
public 'realm' => string '' (length=0)
public 'rights' =>
array (size=84)
...
public 'default_tokentype' => string 'hotp' (length=4)
public 'user_details' => boolean false
public 'log_level' => int 20
public 'timeout_action' => string 'lockscreeen' (length=11)
public 'logout_time' => int 120
public 'token_wizard_2nd' => boolean false
public 'token_wizard' => boolean false
public 'menus' =>
array (size=6)
...
public 'token' => string 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwibm9uY2UiOiI0YzI4ODIxYTVlNWY0MmZhZDgzY2I1ZDZhZDNhY2UxY2UyMmQyZDZiIiwiYXV0aHR5cGUiOiJwYXNzd29yZCIsInJlYWxtIjoiIiwicmlnaHRzIjpbInJlc2V0Iiwic3Bhc3Nfb3RwX3Bpbl9jb250ZW50cyIsInNldHBpbiIsInJldm9rZSIsImF1ZGl0bG9nX2FnZSIsImFkZHVzZXIiLCJlbnJvbGxTTVMiLCJwb2xpY3lkZWxldGUiLCJtYW5hZ2VzdWJzY3JpcHRpb24iLCJzdGF0aXN0aWNzX3JlYWQiLCJlbnJvbGxUSVFSIiwiY29uZmlnZGVsZXRlIiwibWFjaGluZWxpc3QiLCJyYWRpdXNzZXJ2ZXJfd3JpdGUiLCJzZXQiLCJyZXN5bmMiLCJ1bmFzc2lnbiIsInNtc2dhdGV3YXl'... (length=2020)
public 'search_on_enter' => boolean false
public 'user_page_size' => int 15
public 'subscription_status' => int 0
public 'role' => string 'admin' (length=5)
public 'token_page_size' => int 15
public 'policy_template_url' => string 'https://raw.githubusercontent.com/privacyidea/policy-templates/master/templates/' (length=80)
public 'hide_welcome' => boolean false
public 'time' => float 1584863088.5377
public 'id' => int 1
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwibm9uY2UiOiI0YzI4ODIxYTVlNWY0MmZhZDgzY2I1ZDZhZDNhY2UxY2UyMmQyZDZiIiwiYXV0aHR5cGUiOiJwYXNzd29yZCIsInJlYWxtIjoiIiwicmlnaHRzIjpbInJlc2V0Iiwic3Bhc3Nfb3RwX3Bpbl9jb250ZW50cyIsInNldHBpbiIsInJldm9rZSIsImF1ZGl0bG9nX2FnZSIsImFkZHVzZXIiLCJlbnJvbGxTTVMiLCJwb2xpY3lkZWxldGUiLCJtYW5hZ2VzdWJzY3JpcHRpb24iLCJzdGF0aXN0aWNzX3JlYWQiLCJlbnJvbGxUSVFSIiwiY29uZmlnZGVsZXRlIiwibWFjaGluZWxpc3QiLCJyYWRpdXNzZXJ2ZXJfd3JpdGUiLCJzZXQiLCJyZXN5bmMiLCJ1bmFzc2lnbiIsInNtc2dhdGV3YXlfd3JpdGUiLCJ0b2tlbnJlYWxtcyIsImVucm9sbFRPVFAiLCJlbnJvbGxTUEFTUyIsImV2ZW50aGFuZGxpbmdfd3JpdGUiLCJhdWRpdGxvZyIsImF1ZGl0bG9nX2Rvd25sb2FkIiwicHJpdmFjeWlkZWFzZXJ2ZXJfd3JpdGUiLCJzZXR0b2tlbmluZm8iLCJjbGllbnR0eXBlIiwicmVzb2x2ZXJkZWxldGUiLCJzdGF0aXN0aWNzX2RlbGV0ZSIsImVucm9sbFBXIiwiZW5yb2xsNEVZRVMiLCJlbnJvbGxIT1RQIiwiZW5yb2xsUVVFU1RJT04iLCJlbnJvbGxDRVJUSUZJQ0FURSIsInRvdHBfMnN0ZXAiLCJjb3B5dG9rZW51c2VyIiwiZW5yb2xsTU9UUCIsImNvbmZpZ3dyaXRlIiwiZ2V0c2VyaWFsIiwiZW5yb2xsUkVHSVNUUkFUSU9OIiwic3Bhc3Nfb3RwX3Bpbl9tYXhsZW5ndGgiLCJ0cmlnZ2VyY2hhbGxlbmdlIiwiZW5yb2xsWVVCSUtFWSIsIm90cF9waW5fY29udGVudHMiLCJlbmFibGUiLCJlbnJvbGxVMkYiLCJtYW5hZ2VfbWFjaGluZV90b2tlbnMiLCJlbnJvbGxQQVBFUiIsImdldHJhbmRvbSIsInBvbGljeXdyaXRlIiwidXNlcmxpc3QiLCJob3RwXzJzdGVwIiwiZGVsZXRldXNlciIsInBlcmlvZGljdGFza193cml0ZSIsImVucm9sbFZBU0NPIiwiZW5yb2xscGluIiwiY2Fjb25uZWN0b3JkZWxldGUiLCJjYWNvbm5lY3RvcndyaXRlIiwiZGlzYWJsZSIsInNwYXNzX290cF9waW5fbWlubGVuZ3RoIiwibXJlc29sdmVyZGVsZXRlIiwiY29weXRva2VucGluIiwiZW5yb2xsUkFESVVTIiwiZW5yb2xsT0NSQSIsImVucm9sbFlVQklDTyIsInNldF9oc21fcGFzc3dvcmQiLCJ1cGRhdGV1c2VyIiwic3lzdGVtX2RvY3VtZW50YXRpb24iLCJnZXRjaGFsbGVuZ2VzIiwiZmV0Y2hfYXV0aGVudGljYXRpb25faXRlbXMiLCJzbXRwc2VydmVyX3dyaXRlIiwibG9zdHRva2VuIiwiZW5yb2xsVEFOIiwiZW5yb2xsRU1BSUwiLCJlbnJvbGxSRU1PVEUiLCJtcmVzb2x2ZXJ3cml0ZSIsImFzc2lnbiIsIm90cF9waW5fbWF4bGVuZ3RoIiwiZW5yb2xsU1NIS0VZIiwiaW1wb3J0dG9rZW5zIiwib3RwX3Bpbl9taW5sZW5ndGgiLCJlbnJvbGxEQVBMVUciLCJyZXNvbHZlcndyaXRlIiwiZGVsZXRlIl0sInJvbGUiOiJhZG1pbiIsImV4cCI6MTU4NDg2NjY4OH0.FAtrfRkzJb-X5nQCyOUr9aOAeDgaLTPwLsv1NfCddy0

object(stdClass)[4]
public 'jsonrpc' => string '2.0' (length=3)
public 'signature' => string '12316517632138395189632461287149406328390439375478872819310228352061054981679177119501176421759990246995774081037306845215448228191687595244216845265633980427977138877124803332710780107789008218049261445715242496885793780461257110777841433761749670572987412489617905045320228812425932645545623505248730792937196817850494416706872130554223962635811643048198806357531646751775614833831767422437044195665204228033067035253780798018674918390560411057868577264537753688145763095347864291064872833757020383644805796021'... (length=617)
public 'detail' => null
public 'version' => string 'privacyIDEA 2.23.5' (length=18)
public 'result' =>
object(stdClass)[5]
public 'status' => boolean false
public 'error' =>
object(stdClass)[6]
public 'message' => string 'Authentication failure. Error during decoding your token: Not enough segments' (length=77)
public 'code' => int 4304
public 'time' => float 1584863089.2937
public 'id' => int 1

[cornelinux]

Then you are probably doing another mistake.
See https://privacyidea.readthedocs.io/en/latest/modules/api/auth.html#authentication-endpoints

For questions how to use privacyIDEA and concepts (your 2nd one) please got to https://community.privacyidea.org

[cornelinux]

@cartenca You may want to take a look at the implementation of our simpleSAMLphp module, which also uses the trigger challenge or at our ownCloud Plugin. Thus you can see how we did it in PHP.
https://github.com/privacyidea/simplesamlphp-module-privacyidea/
https://github.com/privacyidea/privacyidea-owncloud-app

I closed this issue, because it is not an issue with privacyIDEA.
Please understand, that we are using the github issues to develop the privacyIDEA software, not to help other using privacyIDEA or integrating it.
For this, please go to the beforementioned community forum.
Thanks!