CR OTP Authentication API

Authentication function that verify username and Challenge Response OTP combination. User has to request an OTP challenge code before call this function . User will generate a correspond OTP based on the challenge code.

Below is the URL to access the API functions:

POST /v2/CentagateWS/webresources/auth/authCrOtp

Parameters

No	Parameter	Occurence	Descriptions
1	username	Required	Register Username in CENTAGATE Cloud.
2	devAccId	Required	The user registered device account Id
3	Challenge	Required	Challenge Code That Is Sent From Server To User
4	crOtp	Required	Challenge Response OTP that generated from in CENTAGATE Cloud App.
5	authToken	Optional	The Previous Generated AuthToken.
6	integrationKey	Required	Integration Key Of The App That The User Wants To Authenticate.
7	unixTimestamp	Required	Current Time In Unixtimestamp
8	supportFido	Optional	FIDO Authentication Option, Pass True To Enable And False To Disable. Or Leave It Empty
9	ipAddress	Optional	IP Address From Where The Authentication Request Is Originated.
10	userAgent	Optional	Platform Information Of Authentication Request Is Made Of.
11	browserFp	Optional	Browser Fingerprint.
12	otpType	Optional	Insert "Online" If Its Mobile Token Or Insert "Offline" If Its Hardware Token
13	tokenId	Optional	Insert Hardware Token Serial Number, If User Register More Than One Hardware Token, Need To Specify The Hardware Token Serial Number
14	HMAC	Required	Hmac Generated From Combination (Username + DevAccId + CrOtp + OtpType + Challenge + IntegrationKey + UnixTimeStamp + AuthToken + SupportFido + IpAddress + UserAgent + BrowserFp) Using Secretkey (Can Be Obtained From The App Page) As The Key

Sample Code

As in below there are some examples of source code of access the API functions:

Java

Node Js

PHP

Java

public static void main(String[] args) {

	ClientConfig config = new DefaultClientConfig ();
	Client client = Client.create ( config );
	WebResource service = client.resource ("https://<domain_name>/v2/CentagateWS/webresources");
			
	Gson gson = new Gson();
			
	String hmac = convertHmacSha256("secretkey","username" + "devAccId" + "crOtp" + "otpType" + "challenge" + "integrationKey" + "unixTimestamp" + "authToken"  + "supportFido" + "ipAddress" + "userAgent" + "browserFp");

	HashMap<String, String> map = new HashMap<String, String>();
	map.put("username", "username");
	map.put("devAccId", "devAccId");
	map.put("crOtp", "crOtp");
	map.put("challenge", "challenge"); //Challenge OTP that will generate during the Req Cr OTP
	map.put("otpType", "otpType"); //Insert 'online' if mobile token and 'offline' if hardware token
	map.put("tokenId", "tokenId"); //Need insert hardware token serial number, if user register more than one hardware token and then need to specify the hardware token serial number
	map.put("authToken", "authToken");
	map.put("integrationKey", "integrationKey");
	map.put("unixTimestamp", "unixTimeStamp");
	map.put("ipAddress", "ipAddress"); 
	map.put("userAgent", "userAgent"); 
	map.put("browserFp", "browserFp"); 
	map.put("supportFido", ""); 
	map.put("hmac", hmac); 

	ClientResponse response = service.path ("auth").path("authCrOtp").accept(MediaType.APPLICATION_JSON).post(ClientResponse.class, gson.toJson(map));
				
	String retJson = response.getEntity(String.class);

	HashMap<String, Object> returnData = (HashMap<String, Object>) gson.fromJson(retJson, HashMap.class);

	String code = returnData.get("code").toString();
	String message = returnData.get("message").toString();
	String object = returnData.get("object").toString();
}

public static String convertHmacSha256(String secretKey, String params) throws NoSuchAlgorithmException, 
            InvalidKeyException,IllegalStateException, SignatureException, NoSuchProviderException, Exception
{
	try
	{
		final SecretKeySpec secret_key = new SecretKeySpec ( StringUtils.getBytesUtf8 ( secretKey ) , "HmacSHA256" );
		final Mac mac = Mac.getInstance ( "HmacSHA256" );
		mac.init ( secret_key );
		final byte[] bytes = mac.doFinal ( StringUtils.getBytesUtf8 ( params ) );
		return Hex.encodeHexString ( bytes );
	}
	catch ( NoSuchAlgorithmException e )
	{
		throw new NoSuchAlgorithmException ( e );
	}
	catch ( InvalidKeyException e )
	{
		throw new InvalidKeyException ( e );
	}
	catch ( IllegalStateException e )
	{
		throw new IllegalStateException ( e );
	}
	catch ( Exception e )
	{
		throw new Exception ( e );
	}
}

Node Js

const https = require('https')

var crypto = require('crypto');
var username = '<username>';
var devAccId = '<devAccId>';
var crOtp = '<crOtp>';
var challenge = '<challenge>';
var integrationKey = '<integration key>';

var time = Math.round((new Date()).getTime() / 1000);
var unixTimestamp = time.toString();
var authToken = '<authToken>';

var supportFido = "<supportFido>";
var ipAddress = "<ipAddress>";
var userAgent = "<userAgent>";
var browserFp = "<browserFp>";

var secretKey    = '<secret key>';  
var hmacText = username + devAccId + crOtp + challenge + authToken + integrationKey + unixTimestamp + supportFido + ipAddress + userAgent + browserFp;
var hash, hmac;

/* generate hmac value*/
hmac = crypto.createHmac(sha256, secretKey);    
hmac.write(hmacText);
hmac.end();      
hash = hmac.read().toString('hex');    


const data = JSON.stringify({
	username: username,
	devAccId: devAccId,
	crOtp: crOtp,
	challenge: challenge,
	authToken: authToken,
	integrationKey: integrationKey,
	unixTimestamp: unixTimestamp,
	ipAddress: ipAddress,
	supportFido: supportFido,
	userAgent: userAgent,
	browserFp: browserFp,
	hmac: hash
})

const options = {
	hostname: "<domain_name>",
	port: 443,
	path:'/v2/CentagateWS/webresources/auth/authCrOtp',
	method: 'POST',
	headers: {
		'Accept': 'application/json',
		'Content-Type': 'application/json',
	}
}

const req = https.request(options, res =>{
	console.log(`HTTP Status Code: ${res.statusCode}`)
	var body = '';
	res.on('data', function(d){
		
	body += d;
	var parsed = JSON.parse(body);
	
	if (parsed.code == 0){
	   console.log('Authentication Succeed');
	   console.log('Response:');
	   console.log(body);
	}
	else {
	  console.log('Authentication Fail, ' +'Message:' + parsed.message);
	  console.log('Code:' + parsed.code); 
	}
		
	})
})

req.on('ERROR', error => {
	console.error(error)
})

req.write(data)
req.end()

PHP

<?php

    $url = 'https://<domain_name>/v2/CentagateWS/webresources/auth/authCrOtp';
    
    $ch = curl_init($url);
    $secretKey = "<secretkey>";
    $username ="<username>";
    $devAccId = "<devAccId>";
    $crOtp = "<crOtp>"; //Respond OTP
	$otpType = "<otpType>"; //online if mobile token and offline if hardware token
	$tokenId = "<tokenId>";
    $challenge = "<challenge>"; //Challenge OTP that will generate during the Req CR OTP
    $authToken = "<authToken>";
    $integrationKey = "<integrationkey>";
    $time = time(); // get current timestamp
    $unixTimestamp = strval($time); //convert timestamp to String
    $supportFido = "<supportFido>";
    $ipAddress = "<ipAddress>";
    $userAgent = "<userAgent>";
    $browserFp = "<browserFp>";
    
    $hmac_text = $username.$devAccId.$crOtp.$otpType.$challenge.$integrationKey.$unixTimestamp.$authToken.$supportFido.$ipAddress.$userAgent.$browserFp;
    $hmac = hash_hmac('sha256', $hmac_text, $secretKey); // calculate hmac value
    
    $jsonData = array (
		'otpType'=> $otpType,
		'tokenId'=> $tokenId,
    	'username'=> $username,
    	'crOtp'=> $crOtp,
    	'challenge'=> $challenge,
		'devAccId'=> $devAccId,
    	'integrationKey'=> $integrationKey,
    	'unixTimestamp'=> $unixTimestamp,
		'ipAddress'=> $ipAddress,
		'userAgent'=> $userAgent,
		'browserFp'=> $browserFp,
		'authToken'=> $authToken,
    	'supportFido'=> $supportFido,
    	'hmac' => $hmac
    );
    
    $jsonDataEncoded = json_encode($jsonData);
    
    curl_setopt($ch, CURLOPT_POST,1);
    curl_setopt($ch, CURLOPT_POSTFIELDS, $jsonDataEncoded);
    curl_setopt($ch, CURLOPT_HTTPHEADER, array('Accept: application/json','Content-Type: application/json'));
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    
    $result = curl_exec($ch);
    
    
    $obj = json_decode($result); 
    if ($obj->{'code'} != 0){
    	print "Authentication fail";
    	print "Message: ".$obj->{'message'}; 
    	echo " <br>"; 
    	print "Code: ".$obj->{'code'};
    }
    else {
    	print "Authentication succeed";
    	echo " <br>"; 
    	print "Message: ".$obj->{'message'}; 
    	echo " <br>"; 
    	print "Code: ".$obj->{'code'}; 
    	echo " <br>"; 
    	print "Result:" ;
    	echo " <br>"; 
    	print $result;
    }
    
    curl_close($ch);

?>