Multifactor authentication

The multifactor authentication API can be used to generate and encrypt TOTP secrets.

The multifactor authentication API is available under https://api.feide.no/2/mfa/

Time-based one-time password

The Time-based one-time password (TOTP) endpoint can be used to generate and encrypt secrets for usage with the authenticator-compatible code generators.

This API is available on https://api.feide.no/2/mfa/totp

All requests to this API must be POST requests.

POST parameters

The POST request has the following optional data parameters:

  • secret: The secret to encrypt. The secret consists of exactly 16 characters, using the letters A-Z and the numbers 2-7. This parameter is optional. If not provided, a random secret will be generated.
  • label: The label that can be used to identify the device this secret is generated for. This label is displayed on the login page when the user is asked for their multifactor authentication code. This parameter is optional. If not provided a generic description is used for the generator on the login page.

Output

The result of the API call is a JSON object with the following structure:

{
  "secret": "ABCDABCDABCDABCD",
  "label": "Some device name",
  "result": "urn:mace:feide.no:auth:method:ga eyJlbmMiOiAiQTEyOENCQy1IUzI1NiIsICJhbGciOiAiUlNBLU9BRVAifQ.WOXw6dkzja5Q7Ixn4hL3cXaKbL5JepfmGi_F2g-OstR3MoDgJ_9BjJdLPoEfBHzI-54lRHUKvhSv0m9AN71Hb-ebjPVnn1afOJrrPQDwLNX30ZQwLux8hx86eiBEIFE2_mqEv-K5zGsQsBQEHMFhLci-oEnfCiMFfppL6cNJAkmWWMT7Sns3TRlL0gQhPSLxOs9JP6YyzuBKe_YaEB3D7zD_-3ts5eDWTxM_zTGeHH1CGGhMDZwiCc3AvYpxan5YjCEBGBmFM8TOp6-RtrYw8qoUbFsJVhrLU7aPjFOe_BBr1P1BTckA7iBwka5CJu421HAkPb7xnOPQNwYoaT-Zwg.J9yVLY-Ipwj5PtfL9NnwHg.RvJUFDmHRH51CHrOp7sUtfyFeXIszGiv_YsWy-YBdlY.xkto8-e7mXc6Wn88V3do2w label=Some%20device%20name"
}

The following fields are returned:

  • secret: The secret that was encrypted. This field is included both when the secret was provided in the request and when the secret was generated by the API.
  • label: The label that was included in the generated attribute value. This field is null if no label was provided in the request.
  • result: The encrypted secret, encoded as a attribute value suitable for storage in the norEduPersonAuthnMethod attribute. If a label was provided in the request, it will be encoded in the attribute value.

Examples

To generate a random secret:

curl -sSLf -XPOST 'https://api.feide.no/2/mfa/totp'

To encrypt a fixed secret with a label:

curl -sSLf -d secret='ABCDABCDABCDABCD' -d label='Some device name' 'https://api.feide.no/2/mfa/totp'

To generate a random secret with a fixed label

curl -sSLf -d label='Some device name' 'https://api.feide.no/2/mfa/totp'