0.1eset用户名

ESETSECUREAUTHENTICATIONAPIUserGuide(intendedforproductversion2.
7)ClickheretonavigatetothelatestversionofthisdocumentationESETSECUREAUTHENTICATIONCopyright2018byESET,spol.
sr.
o.
ESETSecureAuthenticationwasdevelopedbyESET,spol.
sr.
o.
Formoreinformationvisitwww.
eset.
com.
Allrightsreserved.
Nopartofthisdocumentationmaybereproduced,storedinaretrievalsystemortransmittedinanyformorbyanymeans,electronic,mechanical,photocopying,recording,scanning,orotherwisewithoutpermissioninwritingfromtheauthor.
ESET,spol.
sr.
o.
reservestherighttochangeanyofthedescribedapplicationsoftwarewithoutpriornotice.
CustomerCare:www.
eset.
com/supportREV.
9/4/2018Contents4Introduction1.
5IntegrationOverview2.
6Configuration3.
7AuthenticationAPI4.
7Step1:Start2-FactorAuthentication4.
17Request4.
1.
17Response4.
1.
28Step2:Authenticate4.
28Request4.
2.
18Response4.
2.
29UserManagementAPI5.
9GetUserProfile5.
19Request5.
1.
19Response5.
1.
210Unlock5.
210Request5.
2.
110Response5.
2.
211Deprovision5.
311Request5.
3.
111Response5.
3.
211ProvisionMobileApplication5.
411Request5.
4.
112Response5.
4.
212ProvisionTextMessage5.
512Request5.
5.
112Response5.
5.
213ErrorHandling6.
13APIErrors6.
113HTTPErrors6.
241.
IntroductionInmostweb-basedapplications,usersareauthenticatedbeforebeinggrantedaccesstoprotectedresources.
Byaskingforanadditionalauthenticationfactorduringthelogonprocess,suchapplicationsgainanadditionallayerofsecurity.
TheESETSecureAuthenticationAPIisaREST-basedwebservicethatcanbeusedtoeasilyaddtwo-factorauthentication(2FA)toexistingapplications.
ThefullAPIdocumentationfordevelopersisavailableonthesameURLaddressasESAWebConsole,butfollowedby"/apidoc"withoutquotationmarks.
Forexample,iftheESAWebConsoleisavailableathttps://120.
0.
0.
1:8001/,theAPIdocumentationisavailableathttps://127.
0.
0.
1:8001/apidoc52.
IntegrationOverviewTheAPIconsistsoftwoendpoints:1.
TheAuthAPI,formerAuthenticationAPI,foradding2FAtoexistingapplications.
2.
TheUserManagementAPI,formanaging2FAusers.
TheAPIoperatesusingmethodswhicharecalledbyPOSTingJSON-formattedtexttotherelevantAPIURLs.
AllresponsesarealsoencodedasJSON-formattedtextcontainingthemethodresultandanyapplicableerrormessages.
TheAPIisavailableonallserverswheretheAuthenticationCorecomponentisinstalledandrunsoverthesecureHTTPSprotocolonport8001,unlessyouchangedtheportduringinstallationofAuthenticationServer.
TheAPIisasubcomponentofthestandardESAAuthenticationService.
Assuch,afunctionalESAinstallationisprerequisitetousingtheAPI.
TheauthenticationAPIisavailableonURLsoftheformhttps://127.
0.
0.
1:8001/auth/v2/andtheManagementAPIisavailableonURLsoftheformhttps://127.
0.
0.
1:8001/manage/v2/.
BothendpointsareprotectedfromunauthorizedaccessviastandardHTTPBasicAuthentication,requiringavalidsetofAPICredentialsbeforeprocessinganyrequest.
63.
ConfigurationTheAPIisdisabledbydefaultandmustbeenabledbeforeuse.
EachsetofAPIcredentialscanbeenabledfortheAuthAPI,theUserManagementAPIorbothendpoints.
Onceenabled,APIcredentialsmustbecreatedtoauthorizerequests:EnablingAPIandconfiguringAPIcredentialsinESAWebConsole1.
LaunchtheESETSecureAuthenticationWebConsoleandnavigatetotheSettings>APICredentials.
2.
SelecttheEnabledcheckbox.
Savethechanges.
3.
ClicktheAddCredentialsactiontocreateanewsetofcredentials.
4.
Enterthedesiredname,selecttheAuthAPIorManagementAPIcheckboxorboth.
ClickSave.
5.
TheaccountIDandpassworddisplays.
Besuretosavethepasswordsecurely,itcannotbedisplayedagain.
EnablingAPIandconfiguringAPIcredentialsinMMCConsole1.
LaunchtheESETSecureAuthenticationManagementConsoleandnavigatetotheAdvancedSettingsnodeforyourdomain.
2.
ExpandtheAPIsectionandchecktheAPIisenabledcheckbox.
Savethechanges.
3.
OpenthestandardWindowsServicesConsoleandrestarttheESETSecureAuthenticationCoreserviceforthechangetotakeeffect.
4.
NavigatetothenewlyvisibleAPICredentialsnodeforyourdomain.
5.
ClicktheAddCredentialsactiontocreateanewsetofcredentials.
6.
Double-clickonthenewlycreatedcredentialstogettheusernameandpasswordthataretobeusedforAPIauthentication.
7.
ChecktheEnabledforAuthAPIcheckbox,theEnabledforUserManagementAPIcheckboxorboth.
ManysetsofAPIcredentialsmaybecreated.
Itisrecommendedtocreatedifferentsetsforeachapplicationbeingprotected,aswellasfortesting.
IftheAPIisenabled,allserverswiththeAuthenticationServercomponentinstalledwillrespondtoauthorizedAPIrequestsaftertheyarerestarted.
ThereisnoneedtorestarttheESACoreservicewhencredentialsarecreatedordeleted.
74.
AuthenticationAPIAllAuthAPImethodsareavailableonURLsoftheformhttps://127.
0.
0.
1:8001/auth/v2/andareprotectedfromunauthorizedaccessviastandardHTTPBasicAuthentication,requiringavalidsetofAPICredentialsthatareenabledfortheAuthenticationAPIbeforeprocessinganyrequest.
TheContent-Typeheadermustbesettoapplication/jsonforeachrequest.
TheESETSecureAuthenticationinstallerautomaticallyusesanappropriateSSLsecuritycertificateinstalledonthemachine,orgeneratesanewself-signedcertificateifanothercannotbefound.
ReplacingtheSSLcertificateiscoveredintheESAAPISSLCertificatereplacementdocument.
4.
1Step1:Start2-FactorAuthenticationAssoonastheexistingapplicationhasverifiedauser'susernameandpassword,theStartTwoFactorAuthenticationmethodmustbecalledinordertodeterminewhethertwo-factorauthenticationhasbeenenabledfortheuser.
Ifrequired,apushnotificationorSMSOTPwillautomaticallybesenttotheuseratthistime.
4.
1.
1RequestTobeginthe2FAprocess,makeanHTTPPOSTrequesttothefollowingURI:auth/v2/StartTwoFactorAuthenticationThefollowingJSONstringmustbeposted:{"username":"USERNAME"}Incaseofadomainuser,theusernamefieldisastringwiththesamAccountNameoftheusertobeauthenticated.
ItisveryimportantthatthecorrectusernamebesenttotheAPI:thesamAccountNameistheuser'snormallogonnameinActiveDirectory.
4.
1.
2ResponseAlltypicalresponseswillbereturnedwitha200(OK)HTTPstatuscode,eveniftherequestedactionfailed.
TheresponsewillbeaJSONstring.
Seebelowforanexampleofastandardresponse:{"expected_otp":["APP","SMS"],"error":"ERROR_NONE","error_message":""}Ifnoerrorhasoccurred,thentheerrorfieldwilldisplay"ERROR_NONE".
PleaseseetheErrorHandlingsectionforadescriptionofpossibleerrorcodes.
Theerror_messagefieldwillgiveafriendlydescriptionoftheerror,ifapplicable.
8Theexpected_otpfieldisanarrayandspecifiestheOTP(One-timepassword)typesthatcanbeexpectedfromtheuser.
ThisvaluecanassistwithUIcreation,forexample,itwillindicateiftheusershouldexpectanSMSornot.
IfthearrayisemptythennoOTPisrequired(i.
e.
2FAisnotenabled)andtheusershouldbeloggedinimmediately.
ThefollowingOTPtypescanbeincludedinthearray:·APP–theuserhasalreadyinstalledtheESAapplicationontheirmobilephoneandshouldgenerateanOTPusingtheapplication.
·SMS–theuserhasnotinstalledtheapplicationandhasbeensentanSMSwithanOTP.
·HARD_TOKEN–theuserhasbeenassignedahardtokenandshouldgenerateanOTPusingthedevice.
4.
2Step2:Authenticate4.
2.
1RequestToauthenticateauser,makeanHTTPPOSTrequesttothefollowingURI:/auth/v1/authenticateThefollowingJSONstringmustbeposted:{"username":"USERNAME","otp":"123456"}TheusernamefieldisastringwiththesamAccountNameoftheusertobeauthenticatedandtheotpfieldastringwiththeOTPenteredbytheuser.
4.
2.
2ResponseAlltypicalresponseswillbereturnedwitha200(OK)HTTPstatuscode,eveniftherequestedactionfailed.
TheresponsewillbeaJSONstring.
Seebelowforanexampleofastandardresponse:{"authenticated":true,"error":"ERROR_NONE","error_message":""}Ifnoerrorhasoccurred,thentheerrorfieldwilldisplayERROR_NONE.
PleaseseetheErrorHandlingsectionofthisguideforadescriptionofpossibleerrorcodes.
Theerror_messagefieldwillgiveadescriptionoftheerrorifanerrorhasoccurred.
TheauthenticatedfieldisaBooleanthatspecifieswhetherthesuppliedOTPisvalid.
Iftheauthenticatedvalueistrue,theuser'sOTPhasbeensuccessfullyvalidatedandtheusershouldbeloggedin.
95.
UserManagementAPIAllUserManagementAPImethodsareavailableonURLsoftheformhttps://127.
0.
0.
1:8001/manage/users/v1/andareprotectedfromunauthorizedaccessviastandardHTTPBasicAuthentication,requiringavalidsetofAPICredentialsthatareenabledfortheUserManagementAPIbeforeprocessinganyrequest.
TheContent-Typeheadermustbesettoapplication/jsonforeachrequest.
TheESETSecureAuthenticationinstallerautomaticallyusesanappropriateSSLsecuritycertificateinstalledonthemachine,orgeneratesanewself-signedcertificateifanothercannotbefound.
ReplacingtheSSLcertificateiscoveredintheESAAPISSLCertificatereplacementdocument.
5.
1GetUserProfileThismethodreturns2FAinformationaboutauseraccount.
5.
1.
1RequestTogetthe2FAprofileofauser,makeanHTTPGETrequesttothefollowingURI:/manage/users/v1/profile/USERNAMEWhereUSERNAMEisastringwiththesamAccountNameoftheusertofetchtheprofileof.
ItisveryimportantthatthecorrectusernamebesenttotheAPI:thesamAccountNameistheuser'snormallogonnameinActiveDirectory.
TheusernamemustbeURL-encoded.
5.
1.
2ResponseAlltypicalresponseswillbereturnedwitha200(OK)HTTPstatuscode,eveniftherequestedactionfailed.
TheresponsewillbeaJSONstring.
Seebelowforanexampleofastandardresponse:{"username":"USERNAME","mobile_number":"2700000","is_locked":false,"last_success":"2014-01-01T00:00:00","last_failure":null,"consecutive_failures":0,"credential_type":["APP","SMS"],"error":"ERROR_NONE","error_message":""}Ifnoerrorhasoccurred,thentheerrorfieldwilldisplayERROR_NONE.
PleaseseetheErrorHandlingsectionofthisguideforadescriptionofpossibleerrorcodes.
Theerror_messagefieldwillgiveadescriptionoftheerrorifanerrorhasoccurred.
TheusernamefieldisaStringcontainingthesamAccountNameoftheuser.
Themobile_numberfieldisaStringcontainingthemobilenumberoftheuser.
Theis_lockedfieldisaBooleanthatspecifiesiftheuserhasbeenlockedfor2FAduetotoomanyfailedauthenticationattempts.
10Thelast_successfieldisaDatethatspecifiesthelasttimethattheuserperformedasuccessfulauthentication.
Thisfieldcanbenull.
Thelast_failurefieldisaDatethatspecifiesthelasttimethattheuserperformedafailedauthentication.
Thisfieldcanbenull.
Theconsecutive_failuresfieldisanIntegerthatspecifiesthethenumberofconsecutivefailedauthenticationattemptsperformedbytheuser.
Thecredential_typefieldisanarrayandspecifiestheOTP(One-timepassword)typesthathavebeenenabledfortheuser.
ThefollowingOTPtypescanbeincludedinthearray:·APP–theuserhasbeenenabledfortheESAMobileApp.
·SMS–theuserhasbeenenabledforSMSOTPs.
·HARD_TOKEN–theuserhasbeenenabledforhardtokenOTPs.
5.
2UnlockThismethodwillunlockthe2FAaccessofauser.
ItwillnotunlockanaccountlockedbyActiveDirectory.
5.
2.
1RequestTounlockauser,makeanHTTPPOSTrequesttothefollowingURI:/manage/users/v1/unlockThefollowingJSONstringmustbeposted:{"username":"USERNAME"}TheusernamefieldisastringwiththesamAccountNameoftheusertounlock.
ItisveryimportantthatthecorrectusernamebesenttotheAPI:thesamAccountNameistheuser'snormallogonnameinActiveDirectory.
5.
2.
2ResponseAlltypicalresponseswillbereturnedwitha200(OK)HTTPstatuscode,eveniftherequestedactionfailed.
TheresponsewillbeaJSONstring.
Theresponsewillonlycontainapossibleerrorcodeandmessage,withoutanyotherdata.
Seebelowforanexampleofastandardresponse:{"error":"ERROR_NONE","error_message":""}Ifnoerrorhasoccurred,thentheerrorfieldwilldisplayERROR_NONE.
PleaseseetheErrorHandlingsectionofthisguideforadescriptionofpossibleerrorcodes.
Theerror_messagefieldwillgiveadescriptionoftheerrorifanerrorhasoccurred.
115.
3DeprovisionThismethodwilldisable2FAforauser.
5.
3.
1RequestTodisable2FAforauser,makeanHTTPPOSTrequesttothefollowingURI:/manage/users/v1/deprovisionThefollowingJSONstringmustbeposted:{"username":"USERNAME"}TheusernamefieldisastringwiththesamAccountNameoftheusertodisable2FAfor.
ItisveryimportantthatthecorrectusernamebesenttotheAPI:thesamAccountNameistheuser'snormallogonnameinActiveDirectory.
5.
3.
2ResponseAlltypicalresponseswillbereturnedwitha200(OK)HTTPstatuscode,eveniftherequestedactionfailed.
TheresponsewillbeaJSONstring.
Theresponsewillonlycontainapossibleerrorcodeandmessage,withoutanyotherdata.
Seebelowforanexampleofastandardresponse:{"error":"ERROR_NONE","error_message":""}Ifnoerrorhasoccurred,thentheerrorfieldwilldisplayERROR_NONE.
PleaseseetheErrorHandlingsectionofthisguideforadescriptionofpossibleerrorcodes.
Theerror_messagefieldwillgiveadescriptionoftheerrorifanerrorhasoccurred.
5.
4ProvisionMobileApplicationThismethodwillenableauserforMobileApplicationOTPs.
AtextmessagewiththeinstallationURLforthemobileapplicationwillbesenttotheuser.
5.
4.
1RequestToprovisionauserfortheMobileApplication,makeanHTTPPOSTrequesttothefollowingURI:/manage/users/v1/provisionmobileappThefollowingJSONstringmustbeposted:{"username":"USERNAME"}TheusernamefieldisastringwiththesamAccountNameoftheusertoprovision.
ItisveryimportantthatthecorrectusernamebesenttotheAPI:thesamAccountNameistheuser'snormallogonnameinActiveDirectory.
125.
4.
2ResponseAlltypicalresponseswillbereturnedwitha200(OK)HTTPstatuscode,eveniftherequestedactionfailed.
TheresponsewillbeaJSONstring.
Seebelowforanexampleofastandardresponse:{"installation_url":"http://.
.
.
","error":"ERROR_NONE","error_message":""}Ifnoerrorhasoccurred,thentheerrorfieldwilldisplayERROR_NONE.
PleaseseetheErrorHandlingsectionofthisguideforadescriptionofpossibleerrorcodes.
Theerror_messagefieldwillgiveadescriptionoftheerrorifanerrorhasoccurred.
Theinstallation_urlfieldisaStringthatcontainstheinstallationURLfortheMobileApplication.
5.
5ProvisionTextMessageThismethodwillenableauserfortextmessageOTPs.
5.
5.
1RequestToprovisionauserforthetextmessageOTPs,makeanHTTPPOSTrequesttothefollowingURI:/manage/users/v1/provisiontextmessageThefollowingJSONstringmustbeposted:{"username":"USERNAME"}TheusernamefieldisastringwiththesamAccountNameoftheusertoprovision.
ItisveryimportantthatthecorrectusernamebesenttotheAPI:thesamAccountNameistheuser'snormallogonnameinActiveDirectory.
5.
5.
2ResponseAlltypicalresponseswillbereturnedwitha200(OK)HTTPstatuscode,eveniftherequestedactionfailed.
TheresponsewillbeaJSONstring.
Theresponsewillonlycontainapossibleerrorcodeandmessage,withoutanyotherdata.
Seebelowforanexampleofastandardresponse:{"error":"ERROR_NONE","error_message":""}Ifnoerrorhasoccurred,thentheerrorfieldwilldisplayERROR_NONE.
PleaseseetheErrorHandlingsectionofthisguideforadescriptionofpossibleerrorcodes.
Theerror_messagefieldwillgiveadescriptionoftheerrorifanerrorhasoccurred.
136.
ErrorHandling6.
1APIErrorsAllAPIerrorswillbereturnedasaresponsewithanHTTP200(OK)statuscode.
TheerrorfieldintheJSONresponsewillindicatetheerrorcode,whichisaliteralstringvalue.
Thefollowingerrorcodesaredefined:·ERROR_NONE:Noerrorhasoccurred·ERROR_USER_NOT_FOUND:Thesuppliedusernamedoesnotexistinthesystem·ERROR_FAULT:AnunspecifiederrorhasoccurredInadditiontotheerrorfield,anerror_messageisalsoprovidedwithafriendlydescriptionoftheerror.
Onlytheerrorfieldshouldbeusedtodetermineerrorconditionsastheerror_messagefieldisonlyinformationalandissubjecttochangewithoutnotice.
6.
2HTTPErrorsAllHTTPerrorswillbereturnedasresponseswithanemptybodyandanHTTPstatuscodeotherthanthenormal200(OK).
ThefollowingerroneousHTTPstatuscodecanbereturned:·HTTP500(InternalServerError):TheAPIserviceexperiencedanunknown,fatalerror·HTTP400(BadRequest):Theformatofthe"Authorization"headerintheHTTPrequestisinvalid·HTTP401(Unauthorized):NoAPIcredentialsweresuppliedwiththeHTTPrequest·HTTP403(Forbidden):CredentialssuppliedwiththeHTTPrequestareinvalid.