One Time Token (OTT) - using for one-time login link.
Hi,
Me again, sorry. Using the info here: developer[dot]acronis[dot]com/doc/account-management/v2/guide/advanced/ott/external-login-url I've tried to create a one-time login link for customers.
I've got an OTT back from the API - Unfortunately the link doesn't work. It does all of it's checks, making sure everything is logged out before it tries to log the user in, but fails with a 403.
Example link:
eu-cloud[dot]acronis[dot]com/api/2/idp/external-login#ott=T1<snipped>EQ%3D%3D&targetURI=<scheme>eu-cloud[dot]acronis[dot]com/bc/
There were no errors when requesting the OTT.
I've tried
- passing login (with users login name) and also user_id with their UUID.
- substituting the # with ? in the URL.
All result in the same error each time I generate a link. The links have been tried within 30s so they shouldn't be expired.
Thanks,
Karl
Was beginning to think I was losing the plot and missing something obvious!
It's more to allow users to login to our management portal, then got o Acronis portal if they need to without needing to do another sign-in.
Thanks :)
Yes, you need to write this cookie to your customer session and it should be enough to have access to Acronis portal without need to additional sign-in.
As well if you have implemented your own OAuth/oidc IdP endpoint, you can register your IdP provider and then create users with links to this provider, thus all the users will be authenticated through your endpoint.
Just to be sure - checked with my Chrome (F12), adding the AUTH_SERVER_SECURE cookie from POST /idp/ott/login results.
Thanks. I'll give it a go later.
Hi,
I've finally had time to look at this. What you're proposing won't work the best I can tell, as we've no way of writing a cookie to the users browser for an Acronis domain (We're still waiting for our custom domain to be setup). As it's Cross Domain so will be blocked - the same reason we can't do an Ajax call from the users browser to /idp/ott/login to set it.
Thanks,
Karl
I had a lot of pain trying to the API v2 method of single sign in working. In the end I used API v1 for logins
GET request to https://xx-cloud.acronis.com/api/1/users/$user_id/impersonate/
Returns a token then you can send the person to
https://xx-cloud.acronis.com/?jwt=returned_jwt_token
The v2 method of setting a password is also busted it seems.
UPDATE: Ignore me about password in v2, its working correctly now.
Above I admitted that redirect url doesn't work as expected now in v2. As soon as it's be fixed the functionality will be the same. I already raised an issue for R&D regarding that.
Could you please clarify you issues with password setting?
Thanks Neil, I'll give v1 a try for now. Didn't think to go back and look at v1.
We've got password setting via v2 working. When I'm back at a machine I'll have a look what we did.
Karl
Apologies. I stand corrected, api v2 password is now working. I will admit its been a little while since I last tried but it appears the issue has been resolved.
Sorry for delay with OTT. I've received clarification and then just spent some time to be sure that all work as expected.
So, to have the URI /idp/external-login#ott={{ott}}&targetURI=<your_url> worked, you need to URLEncode {{ott}}.
I've captured a small screencast to showcase how it works https://access.acronis.com/t/k83nb7ui
We were already running it with urlencode for the OTT (the %3D in the original URL posted).
However, since our custom domain & SSL was setup the v2 OTT now seems to be working!
Thanks,
Karl
I've just drilled down together with R&D to the page script itself and checked that all work.
There are 2 main steps:
- post an urldecoded ott token to /idp/ott/login
- redirect to tagetURI
And we ensure that they work.
Happy to know that it started to work for you as well.
Can you see what im missing here. Its probably something obvious. I can login to this user with API v1 no problems. But when I attempt to request an OTT token with v2 I get an error:
$url = https://au1-cloud.acronis.com/api/2/idp/ott
[user_id] => 56b8d9cf-9a9d-41b9-a048-b9a646685507
Which is posted to the above URL json_encoded. I also tried the actual username just in case but that also doesnt work.
$data = Array (
[purpose] => user_login
[login] => sirvulcan
)
I get the following response in both cases.
Just an update on this it looks like it might be related to the authentication. Im actually using basic auth currently after looking through things. Going to look at the /idp/token endpoint for getting a token and then ill provide an update.
Yes, Neil. You are correct. The only difference is that I'm using an API Client and then Bearer Authentication with a token issued with the API Client. As well in the demo I've used the "login" field in JSON for an OTT request.
Stas Pavlov | Technology Evangelist
Acronis Developer Network | Acronis Cyber Cloud Solutions Portal | Acronis Cyber Platform
For more answers to your questions, try our Knowledge Base and Video Tutorials
Our mission is to create Customers and Partners success. Our management team welcomes your comments and suggestions on how we can improve the overall support we provide to you. Please send your comments, suggestions, or concerns to Managers or submit your feedback here.