Query User Authenticators
POST/api/web/v2/authentication/users
Query User Authenticators
Request
- application/json
Body
required
Array [
]
Unique identifier of the Identity as a Service Authentication API application
Authentication token.
Provided client IP address.
Setting defines if IP Address is ignored for RBA or not. Default value is false and will not ignore IP Address for RBA.
machineAuthenticator
object
Machine authenticator required to complete authentication challenge
The device fingerprint if it's required during Machine authentication. It will always be null when returned from IDaaS as part of the response body.
machineNonce
sequenceNonce
A flag indicating if the offline QR code token verification is used. Used only if a challenge is required for authentication when returnDefaultChallenge is true.
Provided client origin.
The priority for push transactions where queuing is enabled. Default is 0 and allowed values are 0-9. Used only if a challenge is required for authentication when returnDefaultChallenge is true.
Defines an identifier to retrieve customized SDK push message configuration. Used only if a challenge is required for authentication when returnDefaultChallenge is true.
requestDetail
object
Request detail items.
The browser associated with the request.
The OS associated with the request.
Flag indicating whether the service should include in the response the default challenge.
The push authentication challenge that appears in the user's mobile application. Used only if a challenge is required for authentication when returnDefaultChallenge is true.
Deprecated : Clients who support choosing OTP delivery can still work without having to supply this flag.Flag indicating whether client supports choosing OTP delivery contact attribute.If the client doesn't support it and default OTP delivery is set to NONE, OTP won't be available as an authenticator.
A flag indicating if the token push mutual authentication is supported. Used only if a challenge is required for authentication when returnDefaultChallenge is true.
transactionDetails
object[]
Transaction Details.
The transaction detail name.
Possible values: [RBA
, TVS
]
The transaction detail value.
User ID (containing the user ID or a user alias) of the Identity as a Service user completing the authentication challenge.
Responses
- 200
- 400
- 401
- 403
- 404
Authenticators retrieved successfully
- application/json
- Schema
- Example (from schema)
Schema
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Flag to indicate if access to the application is allowed with the current JWT.
Possible values: [MACHINE
, PASSWORD
, EXTERNAL
, KBA
, TEMP_ACCESS_CODE
, OTP
, GRID
, TOKEN
, TOKENPUSH
, FIDO
, SMARTCREDENTIALPUSH
, PASSWORD_AND_SECONDFACTOR
, SMART_LOGIN
, IDP
, PASSKEY
, IDP_AND_SECONDFACTOR
, USER_CERTIFICATE
, FACE
]
List of authenticator types available for the user.
authenticatorLockoutStatus
object[]
A list of all authenticators that the user has with their lockout status.
The date the user was locked. Null means the user is not locked.
if remainingAuthenticationAttempts is 0 then a lockoutExpiryDate of null means the lockout never expires. Otherwise a value of null means the user isn't locked out.
The number of authentication attempts remaining before the user is locked out.
Possible values: [MACHINE
, PASSWORD
, EXTERNAL
, KBA
, TEMP_ACCESS_CODE
, OTP
, GRID
, TOKEN
, TOKENPUSH
, FIDO
, SMARTCREDENTIALPUSH
, PASSWORD_AND_SECONDFACTOR
, SMART_LOGIN
, IDP
, PASSKEY
, IDP_AND_SECONDFACTOR
, USER_CERTIFICATE
, FACE
]
The type of the authenticator.
Possible values: [MACHINE
, PASSWORD
, EXTERNAL
, KBA
, TEMP_ACCESS_CODE
, OTP
, GRID
, TOKEN
, TOKENPUSH
, FIDO
, SMARTCREDENTIALPUSH
, PASSWORD_AND_SECONDFACTOR
, SMART_LOGIN
, IDP
, PASSKEY
, IDP_AND_SECONDFACTOR
, USER_CERTIFICATE
, FACE
]
Lists authenticator types available to complete second factor challenge (if enabled).
Flag to indicate if the user has to attempt device certificate authentication.
fidoChallenge
object
If the authentication challenge is of type FIDO, the FIDOChallenge will contain the FIDO challenge parameters that must be passed to the FIDO token to complete authentication.
The list of IDs of the FIDO tokens registered for the user. Each value is base-64 encoded.
A random challenge. It is a base-64 encoded value.
The number of seconds that the client will wait for the FIDO token to respond.
gridChallenge
object
If the authentication challenge is of type grid, the GridChallenge object will contain the grid challenge that the end user must answer.
challenge
object[]
required
The grid challenge specifies a list of grid cells that the user must answer in their challenge.
The column within the grid starting at 0.
The row within the grid starting at 0.
gridInfo
object[]
required
The grid details.
The expiry date of the grid. Null value indicates the grid will never expire.
The serial number of the grid that can be used to answer this challenge.
The numCharsPerCell value specifies the number of characters expected in the response for each cell as defined by current settings.
The serial numbers of the grids that can be used to answer this challenge.
kbaChallenge
object
Knowledge-based authenticator required for authentication to Identity as a Service
userQuestions
object[]
required
The question's answer.
The UUID of the KBA question/answer.
The question.
machineAuthenticator
object
Machine authenticator required to complete authentication challenge
The device fingerprint if it's required during Machine authentication. It will always be null when returned from IDaaS as part of the response body.
machineNonce
sequenceNonce
organizations
object[]
A list of the user organizations.
The description of the organization.
The display name of the organization.
The unique UUID assigned to the organization when it is created.
The URI of the logo to display when showing organizations.
The name of the organization.
otpDeliveryInfo
object
OTPDetails
Possible values: [EMAIL
, SMS
, VOICE
]
The available delivery types.
otpContactValues
object[]
The available OTP contact values types.
Name of the attribute.
Possible values: [EMAIL
, SMS
, VOICE
]
Type of the OTP delivery attribute.
Masked attribute value.
Possible values: [EMAIL
, SMS
, VOICE
]
The default delivery type.
The name of default OTP delivery attribute.
Possible values: [EMAIL
, SMS
, VOICE
]
The OTP delivery type used.
Flag to indicate if the user can initiate a password reset flow.
Flag to indicate if the user has to register authenticators.
Flag to indicate if the user has a token that supports signature.
tempAccessCodeChallenge
object
Information about the temporary access code settings.
An optional admin contact value (like an admin email address or phone number) to be displayed in the admin contact message.
Indicates if the admin contact message should be displayed for this challenge.
tokenChallenge
object
If the authentication challenge is of offline token, the TokenChallenge object will contain the QR codes can be scanned by the mobile app.
token
object[]
required
The token challenge contains a list of TokenInfo objects for each of the token that can be used to authenticate. In the case of an offline QR code challenge, a TokenInfo object includes the QR code.
Optional label to identify an assigned token: a String up to 100 characters.
The base-64 encoded QR code. This QR code can be scanned by the Entrust Identity mobile application to perform activation in the case of an offline QR code challenge.
The URL based QR code string. In the case of an offline QR code challenge, this string can be used to generated the base-64 encoded QR code.
The serial number of the token.
For a token or token push authenticator challenge, provides a list of serial numbers of the tokens that can be used to authenticate.
The token push authentication mutual challenge.
userMachineSettings
object
UserMachineSettings
List of device fingerprinting attributes that should not be collected when a device fingerprint is captured.
Indicates whether a device fingerprint should be captured during machine registration or authentication
machineAuthenticatorEnabled
userMachineAuthenticators
object[]
List of Machine Authenticators that the user currently has--used to prevent duplicated labels.
When this machine secret expires in UTC time
Identifies the device/machine
Identifies the device/machine from the end-user point of view
When this machine secret was last used
When this machine secret was created in UTC time
Flag to indicate if the user has to verify.
{
"authenticationCompleted": true,
"authenticationTypes": [
"MACHINE"
],
"authenticatorLockoutStatus": [
{
"lockoutDate": "2019-02-19T13:15:27Z",
"lockoutExpiryDate": "2019-02-20T13:15:27Z",
"remainingAuthenticationAttempts": 0,
"type": "OTP"
}
],
"availableSecondFactor": [
"MACHINE"
],
"deviceCertAuthDesired": true,
"expires": 0,
"fidoChallenge": {
"allowCredentials": [
"string"
],
"challenge": "string",
"timeout": 0
},
"gridChallenge": {
"challenge": [
{
"column": 0,
"row": 0
}
],
"gridInfo": [
{
"expiryDate": "2019-02-19T13:15:27Z",
"serialNumber": "string"
}
],
"numCharsPerCell": 0
},
"kbaChallenge": {
"id": "string",
"userQuestions": [
{
"answer": "string",
"id": "string",
"question": "string"
}
]
},
"machineAuthenticator": {
"fingerprint": "platform:web,version:1.0.2.",
"machineNonce": "07ZeToA3YfoATTxoU6h2x==",
"sequenceNonce": "03ReToA37851tyVU8f3y=="
},
"organizations": [
{
"description": "string",
"displayName": "string",
"id": "string",
"logoUri": "https://account.mycompany.com/images/logo.png",
"name": "string"
}
],
"otpDeliveryInfo": {
"availableOTPDelivery": [
"EMAIL"
],
"otpContactValues": [
{
"name": "alternativeEmail",
"type": "EMAIL",
"value": "*******@mycompany.com"
}
],
"otpDefaultDelivery": "EMAIL",
"otpDeliveryAttribute": "Alternative Email"
},
"otpDeliveryType": "EMAIL",
"passwordResetAllowed": true,
"registrationRequired": true,
"supportsSignature": true,
"tempAccessCodeChallenge": {
"adminContact": "string",
"enableAdminContact": true
},
"time": 0,
"token": "string",
"tokenChallenge": {
"token": [
{
"label": "PENDING",
"qrCode": "string",
"qrCodeUrl": "string",
"serialNumber": "string"
}
]
},
"tokenDetails": [
"string"
],
"tokenPushMutualChallenge": "string",
"userMachineSettings": {
"attributeExclusions": [
"string"
],
"deviceFingerprintRequired": true,
"machineAuthenticatorEnabled": true,
"userMachineAuthenticators": [
{
"expiryTime": "2019-02-19T13:15:27Z",
"id": "string",
"label": "string",
"lastUsedTime": "2019-02-19T13:15:27Z",
"registrationTime": "2019-02-19T13:15:27Z"
}
]
},
"verificationRequired": true
}
Bad request
- application/json
- Schema
- Example (from schema)
Schema
Error Codes specific to cause of failure.
Additional Error Message describing the error.
Optional additional error information.
{
"errorCode": "invalid_user_response",
"errorMessage": "Application id cannot be null",
"parameters": [
{}
]
}
Access denied
- application/json
- Schema
- Example (from schema)
Schema
Error Codes specific to cause of failure.
Additional Error Message describing the error.
Optional additional error information.
{
"errorCode": "invalid_user_response",
"errorMessage": "Application id cannot be null",
"parameters": [
{}
]
}
Forbidden
- application/json
- Schema
- Example (from schema)
Schema
Error Codes specific to cause of failure.
Additional Error Message describing the error.
Optional additional error information.
{
"errorCode": "invalid_user_response",
"errorMessage": "Application id cannot be null",
"parameters": [
{}
]
}
Not Found
- application/json
- Schema
- Example (from schema)
Schema
Error Codes specific to cause of failure.
Additional Error Message describing the error.
Optional additional error information.
{
"errorCode": "invalid_user_response",
"errorMessage": "Application id cannot be null",
"parameters": [
{}
]
}