By: Conan Malone user 04 Jan 2017 at 3:11 a.m. CST

3 Responses
Conan Malone gravatar
I am using the custom u2f script for authentication and it works perfectly. I gather that when a user signs in for the first time they are expected to touch their u2f token and the registration workflow is initiated assigning that u2f token to that user.. after that they can use this token to sign in. My question is how do you remove a token from a user? for example if a user used a token for u2f then requires to change tokens at a later date? also where is all this information stored within the Gluu server as I would care to have a look at how the tokens correspond to the users.. Thanks in advance.

By Yuriy Movchan staff 04 Jan 2017 at 5:32 a.m. CST

Yuriy Movchan gravatar
oxAuth stores user tokens in sub-branch of user entry in LDAP. For example: ``` dn: oxId=1465326868992,ou=u2f_devices,inum=@!40EA.D454.9D4F.E876!0001!ECE8.BBEF!0000!E985.EB68,ou=people,o=@!40EA.D454.9D4F.E876!0001!ECE8.BBEF,o=gluu objectClass: oxDeviceRegistration objectClass: top creationDate: 20160607191428.990Z oxApplication: https://demo.gluu.org oxCounter: -1 oxDeviceData: {"uuid":"40017789-a471-3011-b7a5-01c77fcc72a0","type":"normal","platform":"android","name":"SM-G930F","os_name":"m","os_version":"6.0.1"," push_token":"fhAs4JWYwg0:APA91bHYi_K-Pat8cmsL_SEaoxTqjR-gkUtDGMKSLYN4FwCVxgiRgoFt4Akj5KW7G_QG-nEIe3GPOe21qjPV9DnCzOVihOrZQXgXsJFVXguyzahFRvAg1YIUP_3cyf RyWcJyH1zZ8P3W"} oxDeviceHashCode: 1392 oxDeviceKeyHandle: m35J8Bw44WP6Mgd3b2MmScB3nPM2vL5pUpDKlQxlwBy9gct96oRY42yKAGd6lNELQBnqk3jcT14ngukJ3QG-JA oxDeviceRegistrationConf: {"publicKey":"BFq-bJQUu_Cpftk3Ncp6IffCiMxcksnoFSPwqHbMFMguCBSRv3gVDtuoelOXbWMPhqek1mQZXkxaU7hFwvw9CWs","attestationCert":"MIIC JjCCAcygAwIBAgKBgQDzLA-W-RufAKYSrilpeGM9u7GxP61xcu5z0arSf6-BOQ0mWxb38rqLPg29NPebmwdCaMjPHHJkjv3mUOiHpDizygke8guZHrPn-zGscmqYZpg-HRL5rioxfn0bED-bUBu83q0 6LaPHiM9F4z2rqYmcUF7Uhxhx07j4a4tp36GZazAKBggqhkjOPQQDAjBcMSAwHgYDVQQDExdHbHV1IG94UHVzaDIgVTJGIHYxLjAuMDENMAsGA1UEChMER2x1dTEPMA0GA1UEBxMGQXVzdGluMQswCQ YDVQQIEwJUWDELMAkGA1UEBhMCVVMwHhcNMTYwMzAxMTg1OTQ2WhcNMTkwMzAxMTg1OTQ2WjBcMSAwHgYDVQQDExdHbHV1IG94UHVzaDIgVTJGIHYxLjAuMDENMAsGA1UEChMER2x1dTEPMA0GA1UEB xMGQXVzdGluMQswCQYDVQQIEwJUWDELMAkGA1UEBhMCVVMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASAlCp8whOTye7YoYipGLuhOVMv7GfkUqrPzJ1CbdLQfBvBkoPZyqOj9uNuIlfZV1_T4pfK sOKH2fnwF13qW6eDMAoGCCqGSM49BAMCA0gAMEUCIFFsGsAAdrnVEVkM4g11Y0jov0HLl4kccpao-bYRcBYWAiEAhmPgk2RYuyXZIWdOZw6W0mCQUzqNRLXJIe5NKnL5ztE"} oxId: 1465326868992 oxStatus: active ``` For integration with other systems we implemented SCIM extension which allows to manage user U2F devices. Our SCIM client allows to call these SCIM U2F API methods: https://github.com/GluuFederation/oxTrust/blob/master/server/src/main/java/org/gluu/oxtrust/ws/rs/scim2/fido/FidoDeviceWebService.java ``` @ApiOperation(value = "Search devices", notes = "Returns a list of devices (https://tools.ietf.org/html/rfc7644#section-3.4.2.2)", response = ListResponse.class) public Response searchDevices... @ApiOperation(value = "Find device by id", notes = "Returns a device by id as path param (https://tools.ietf.org/html/rfc7644#section-3.4.1)", response = FidoDevice.class) public Response getDeviceById... @ApiOperation(value = "Create device", notes = "Create device (https://tools.ietf.org/html/rfc7644#section-3.3)", response = FidoDevice.class) public Response createDevice... @ApiOperation(value = "Update device", notes = "Update device (https://tools.ietf.org/html/rfc7644#section-3.5.1)", response = FidoDevice.class) public Response updateDevice... And few other methods... ```

By Conan Malone user 04 Jan 2017 at 7:41 a.m. CST

Conan Malone gravatar
Okay thanks, so would it be safe to just do an ldapsearch for these tokens and just delete them from within the chroot? and then simply register a new token with a user on first sign on?

By Michael Schwartz Account Admin 04 Jan 2017 at 2:40 p.m. CST

Michael Schwartz gravatar
Yes, I think that's fine. That's what I do when I'm testing.