What is it otpapi
otpapi is a RESTful web service ro read and modify the TOTP secret which is what Shibboleth IdP needs for the multifactor authentication.
User authentication
In order to access you need a client certificate.
Connect to the self-service sectigo portal and create a client certificate with profile: 'GÉANT Personal Automated Authentication'; enrollement method is 'key generation' (private key creation in the browser); if in doubt, pick a RSA 4096 private key.
Let's try a query command! In this example automated_cert.p12 is the client certificate; secret is the certificate's passphrase; johndoe is the user whose secret seed we're querying:
$ curl --version #tested with a recent version
curl 8.7.1 (x86_64-apple-darwin24.0) libcurl/8.7.1 (SecureTransport) LibreSSL/3.3.6 zlib/1.2.12 nghttp2/1.62.0
$ cat .config.txt
variable passphrase=secret
cert-type = P12
header = "Content-Type: application/json; charset=utf-8"
expand-cert = automated_cert.p12:{{passphrase}}
$ curl --config .config.txt "https://otpapi.unimore.it/totp/johndoe"
{} # nothing found
Available actions
- Show the secret : look the previous example;
-
Add a secret or update one if present
$ #note: seed is actually the 'secret' part of the otpauth uri. It is a Base32 String ([A-Z2-7]) $ cat payload.json {"seed":"ABCD[...]Z"} $ curl -X POST --config .config.txt -d @payload.json "https://otpapi.unimore.it/totp/johndoe" -
Delete the seed
$ curl -X DELETE --config .config.txt "https://otpapi.unimore.it/totp/johndoe"
Return codes
The API should return a meaningful HTTP return code which can help you understand what's going on.