Aller au contenu principal

One Time Token (OTT) - using for one-time login link.

Thread solved
Beginner
Contributions: 2
Commentaires: 8

Hi,

Me again, sorry.  Using the info here: developer[dot]acronis[dot]com/doc/account-management/v2/guide/advanced/ott/external-login-url  I've tried to create a one-time login link for customers.

I've  got an OTT back from the API - Unfortunately the link doesn't work.  It does all of it's checks, making sure everything is logged out before it tries to log the user in, but fails with a 403.

Example link:

eu-cloud[dot]acronis[dot]com/api/2/idp/external-login#ott=T1<snipped>EQ%3D%3D&targetURI=<scheme>eu-cloud[dot]acronis[dot]com/bc/

There were no errors when requesting the OTT.

I've tried

  • passing login (with users login name) and also user_id with their UUID. 
  • substituting the # with ? in the URL.

 

All result in the same error each time I generate a link.  The links have been tried within 30s so they shouldn't be expired.

Thanks,

Karl

Fichier attaché Taille
-acronis-ott-failure.png 61.24 Ko
0 Users found this helpful
Forum Member
Contributions: 1
Commentaires: 45

#1

The idp/external-login page is very simple. It's POST /idp/ott/login to receive a session cookie and redirect to specific URI.  But it doesn't work for me as well. I will check and return to you with updates.

As a workaround, to login as another user you might do the same as the page does, use POST /idp/ott/login, receive a autorization cookie and use it be authorized as a user.

Beginner
Contributions: 2
Commentaires: 8

#2

Was beginning to think I was losing the plot and missing something obvious!

It's more to allow users to login to our management portal, then got o Acronis portal if they need to without needing to do another sign-in.

Thanks :)

Forum Member
Contributions: 1
Commentaires: 45

#3

Yes, you need to write this cookie to your customer session and it should be enough to have access to Acronis portal without need to additional sign-in.

As well if you have implemented your own OAuth/oidc IdP endpoint, you can register your IdP provider and then create users with links to this provider, thus all the users will be authenticated through your endpoint. 

Just to be sure - checked with my Chrome (F12), adding the AUTH_SERVER_SECURE cookie from POST /idp/ott/login results.

Beginner
Contributions: 2
Commentaires: 8

#4

Thanks.  I'll give it a go later.

Beginner
Contributions: 2
Commentaires: 8

#5

Hi,

I've finally had time to look at this.  What you're proposing won't work the best I can tell, as we've no way of writing a cookie to the users browser for an Acronis domain (We're still waiting for our custom domain to be setup).  As it's Cross Domain so will be blocked - the same reason we can't do an Ajax call from the users browser to /idp/ott/login to set it.

Thanks,

Karl

Beginner
Contributions: 1
Commentaires: 4

#6

I had a lot of pain trying to the API v2 method of single sign in working. In the end I used API v1 for logins

GET request to https://xx-cloud.acronis.com/api/1/users/$user_id/impersonate/

Returns a token then you can send the person to

https://xx-cloud.acronis.com/?jwt=returned_jwt_token

 

The v2 method of setting a password is also busted it seems.

 

UPDATE: Ignore me about password in v2, its working correctly now.

Forum Member
Contributions: 1
Commentaires: 45

#7

Above I admitted that redirect url doesn't work as expected now in v2. As soon as it's be fixed the functionality will be the same. I already raised an issue for R&D regarding that.

 

Could you please clarify you issues with password setting? 

Beginner
Contributions: 2
Commentaires: 8

#8

Thanks Neil, I'll give v1 a try for now. Didn't think to go back and look at v1.

 

We've got password setting via v2 working. When I'm back at a machine I'll have a look what we did.

Karl

Beginner
Contributions: 1
Commentaires: 4

#9

Apologies. I stand corrected, api v2 password is now working. I will admit its been a little while since I last tried but it appears the issue has been resolved.

Forum Member
Contributions: 1
Commentaires: 45

#10

Sorry for delay with OTT. I've received clarification and then just spent some time to be sure that all work as expected.

So, to have the URI /idp/external-login#ott={{ott}}&targetURI=<your_url> worked, you need to URLEncode {{ott}}. 

I've captured a small screencast to showcase how it works https://access.acronis.com/t/k83nb7ui 

Beginner
Contributions: 2
Commentaires: 8

#11

We were already running it with urlencode for the OTT (the %3D in the original URL posted).

However, since our custom domain & SSL was setup the v2 OTT now seems to be working!

Thanks,

Karl

Forum Member
Contributions: 1
Commentaires: 45

#12

I've just drilled down together with R&D to the page script itself and checked that all work.

There are 2 main steps:
- post an urldecoded ott token to /idp/ott/login
- redirect to tagetURI

And we ensure that they work.

Happy to know that it started to work for you as well.

Beginner
Contributions: 1
Commentaires: 4

#13

Can you see what im missing here. Its probably something obvious. I can login to this user with API v1 no problems. But when I attempt to request an OTT token with v2 I get an error:

$url = https://au1-cloud.acronis.com/api/2/idp/ott

 
$data = Array (
[purpose] => user_login
[user_id] => 56b8d9cf-9a9d-41b9-a048-b9a646685507
)

Which is posted to the above URL json_encoded. I also tried the actual username just in case but that also doesnt work.

$data = Array (
[purpose] => user_login
[login] => sirvulcan
)

I get the following response in both cases.

$apiResponse = {"error":{"code":401,"message":"OK","details":{},"domain":"PlatformAccountServer","context":{}}}
 
Its an odd error being "OK"
 
 
EDIT:
 
Just to show the code working in API v1. This is being sent in the same function as the API v2 call so its not like im missing the bearer token info.
 
$url = https://au1-cloud.acronis.com/api/1/users/56b8d9cf-9a9d-41b9-a048-b9a646685507/impersonate/
 
GET request to above URL which returns a token which ive of course removed most for security reasons.
 
$apiResponse = {"jwt":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.e....."}
Beginner
Contributions: 1
Commentaires: 4

#14

Just an update on this it looks like it might be related to the authentication. Im actually using basic auth currently after looking through things. Going to look at the /idp/token endpoint for getting a token and then ill provide an update.

Forum Member
Contributions: 1
Commentaires: 45

#15

Yes, Neil. You are correct. The only difference is that I'm using an API Client and then Bearer Authentication with a token issued with the API Client. As well in the demo I've used the "login" field in JSON for an OTT request.