The ungleich OTP service
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Nico Schottelius 8636d3f81a Cleanup 4 years ago
requests Update script to use urrlib for server testing 4 years ago
ungleichotpserver Update 4 years ago
.gitignore Update .gitignore and README 4 years ago Cleanup 4 years ago
requirements.txt Begin integration of django rest framework 4 years ago Cleanup 4 years ago


ungleich-otp is a full blown authentication and authorisation service made for micro services.

The basic idea is that every micro service has a (long term) triple constisting of (name, realm, seed) and creates time based tokens.

This basically revamps Kerberos in a simple way into the web area.

ungleichotp has been created and is maintained by ungleich.

Related documentation:


This repository contains...

  • ungleichotpserver: the reference implementation of the ungleichotp server
  • a sample implementation of an ungleichotp client

Verifying a token using

Assuming you want to verify (name=ipv6only, realm=ungleich-intern, token=498593) is a valid triple and you do have credentials to access ungleich-otp (, realm=ungleich-admin, seed=PZKBPTHDGSLZBKIZ), then the following call will verify the token: \
UNGLEICHOTPREALM=ungleich-admin \
UNGLEICHOTPSERVER=http://localhost:8000/ungleichotp/verify/ \
    python -n  -r ungleich --token 498593

You can also veriy using a seed: \
UNGLEICHOTPREALM=ungleich-admin \
UNGLEICHOTPSERVER=http://localhost:8000/ungleichotp/verify/ \
    python -n  -r ungleich --seed CEKXVG3235PO2HDW

The client requires pyotp.

Server Setup instructions

This is a standard django project and thus can be easily setup using

pip install -r requirements.txt
python createsuperuser
python runserver


Access is granting/denied based on realms. There are two reserved realms, all other realms can be used by the users:

Reserved realms

Conceptually the realms "ungleich-admin" and "ungleich-auth" are reserved for higher priviliged applications.

Usually there is only 1 entry in ungleich-admin that is used to bootstrap and manage ungleich-otp.

All micro services that are trusted to authenticate another micro service should have an entry in the ungleich-auth realm, which allows them to verify a token of somebody else.

| Name | Capabilities | |------------------+--------------------------------------------| | ungleich-admin | authenticate, create, delete, list, update | | ungleich-auth | authenticate | | all other realms | NO ACCESS |

Verify using http POST

Post a JSON object to the server at /ungleichotp/verify/ that contains the following elements:

Request JSON object:

    name: "your-name",
    realm: "your-realm",
    token: "current time based token",
    verifyname: "name that wants to be authenticated",
    verifyrealm: "realm that wants to be authenticated",
    verifytoken: "token that wants to be authenticated",

Response JSON object:

Either HTTP 200 with

    status: "OK",

OR return code 403:

  • If token for authenticating is wrong, you get
{"detail":"Incorrect authentication credentials."}
  • If token that is being verified is wrong, you get
{"detail":"You do not have permission to perform this action."}

Authorize the request

From the ungleichotp-server, you get a validated information that a name on a realm authenticated successfully. The associated permissions ("authorization") is application specific and needs to be decided by your application.


  • Name, Realm and seed are hard coded to 128 bytes length. This can be changed, if necessary.
  • Only python3 support for ungleichotp


  • (server) Serialize / input request
  • (server) Make seed read only
  • (server) Implement registering of new entries
  • (server) OTPSerializer: allow to read seed for admin
  • (server) Implement deleting entry
  • (server) Include verify in ModelSerializer
  • (server) Map name+realm == User (?)
    • name == name@realm
    • password is used for admin login (?)
    • seed
    • custom auth method
  • [n] (server) Try to fake username for django based on name+realm (?)
    • No need
  • [n] (server) maybe overwrite get_username()
    • No need
  • (server) Use Custom authentication - needs to have a user!
  • (server) Implement creating new "User" by POST / Model based
  • [n] (server) Remove hard coded JSON in /verify (no - good enough for the moment)
  • (server) Fully rename server from ungleichotp to ungleichotpserver
  • (security) Ensure that only the right realms can verify
  • (security) Ensure that only the right realms can manage
  • (doc) Add proper documentation
  • (server) Add tests for verify
  • (server) Add tests for authentication
  • (server) move totp constants into settings
  • (server) move field lengths into settings
  • (server) Document how admin vs. rest works
  • (server, client) Make settings adjustable by environment - k8s/docker compatible
  • (server, client) Read DB from outside (?) (fallback to sqlite)
  • (client) Establish auth using urllib
  • (client) Bootstrap Django + DRF (including an object for CRUD)
  • (client) Add custom authentication / remote auth
  • (client) Show case: any realm vs. specific realm
  • (library) Write a "client library" that can use ungleichotp
  • (library) extract generic parts from server
  • (library) upload to pypi


0.6, 2018-11-18

  • Reuse TokenSerializer for VerifySerializer logic

0.5, 2018-11-18

  • Require authentication on all rest endpoints by token