Thank you Mike for pointing out that I can see API requests with dev tools of the browser. And, after working a little with curl, oathtool, jq etc, I can login correctly into Guacamole API. I don’t know why it didn’t work with SOAPUI.
Best regards. Da: Michael Jumper <[email protected]> Inviato: mercoledì 11 maggio 2022 07:53 A: [email protected] Oggetto: Re: REST API authentication with TOTP extension On Tue, May 10, 2022, 06:00 MAURIZI Lorenzo <[email protected]<mailto:[email protected]>> wrote: Dear all, just after solving a problem, here I am with another one! I would like to build some automated reports, for example a daily e-mail with the list of the connections made in the previous day. For this task, I've been thinking about using REST API. I would be happy to share the resulting bash script if anyone interested. In my installation the TOTP 2FA extension is active, so when sending username and password to /api/tokens, I obtain this json response: { "message": "A TOTP authentication code is required before login can continue", "translatableMessage": { "key": "TOTP.INFO_CODE_REQUIRED", "variables": null }, "statusCode": null, "expected": [ { "name": "guac-totp", "type": "GUAC_TOTP_CODE" }], "type": "INSUFFICIENT_CREDENTIALS" } I tried to put a third guac-totp parameter to the /api/tokens POST data alongside username and password, but without success, as it returns the same message. Which is the correct way to handle API authentication when using the TOTP extension? That is the correct way to handle the request. In addition to the correct username and password, include the current, correct TOTP code for that user as the "guac-totp" parameter. You can see this happen in practice if you open up dev tools in your browser, log in with your own user account, and observe the contents of the successful POST to /api/tokens. - Mike
