Support the privacyIDEA Push Token

[cornelinux]

For a while the privacyIDEA Push Token is around, that allows the easy authentication via a push message (after a complex setup has been done) We already added the push functionality to the ownCloud Plugin and I am not sure keycloak? SimpleSAMLphp?.

It would be nice, if the ADFS plugin also provided this possibility.

Interesting reads are here:

https://privacyidea.readthedocs.io/en/latest/configuration/authentication_modes.html https://privacyidea.readthedocs.io/en/latest/configuration/tokens/push.html#push-token https://github.com/privacyidea/privacyidea/wiki/concept%3A-PushToken

I am happy to assist in any way.

[sbidy]

@cornelinux from a API perspective the trigger will be the same as for the Mail or SMS token? (https://privacyidea.readthedocs.io/en/latest/modules/api/validate.html#post--validate-triggerchallenge)

In this case the implementation is still there. Please correct me if I'm wrong 😄

In the next days I'll extend my test environment with this token type.

[cornelinux]

Yes, SMS and Email work the same. Either trigger with an admin and triggerchallenge or trigger by user with a PIN. But for the workflow they are completely the same.

[splumhoff]

I've tested it in our enviroment, works perfectly. After the User entered the credential and click next, the Push-Token is initiated. The following Token-Input-Formular can then just be submitted with an empty input. If the User has more than one Token assigned (TOTP and HOTP in my test cases) the respective PIN can also be entered if the Push-Token is unavailable.

As discussed in #2 an admin-user is currently required to issue the Push-Token. From my sight that behavior is correct as the push-token has to be initiated via /validate/triggerChallenge in BeginAuthentication (Before OTP-Form appears) since a call to /validate/check without admin-credentials and without a User-Password would issue a failed login-attempt. @cornelinux is this correct?

[cmammoli]

I've tested it in our enviroment, works perfectly. After the User entered the credential and click next, the Push-Token is initiated. The following Token-Input-Formular can then just be submitted with an empty input.

I can confirm it works, but having to submit an empty string is not very intuitive from an end user perspective IMHO

[splumhoff]

I can confirm it works, but having to submit an empty string is not very intuitive from an end user perspective IMHO

That's true, but what could be an alternative?

If the current User has exactly one token of type "Push" you could hide the text-input in the submit-form. As far as I understand, the API-Function TriggerChallenge is called, but regarding to https://privacyidea.readthedocs.io/en/latest/modules/api/validate.html it does not returns the types of the token which are assigned to the user. Without knowing the types, it seems not possible to differentiate if the text input should be shown or not.