Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
241
Views
0
Helpful
2
Replies

Duo Auth API - trusted_device_token not working at preauth call?

seanthisisdumb
Level 1
Level 1

‎05-23-2024 07:03 AM

I'm built a PHP class for the Duo Auth API, however the "trusted_device_token" is not working for me.  A policy is configured for the application and calls to the "auth" endpoint are returning a trusted_device_token in the response.  However, any calls to the preauth endpoint that include the trusted_device_token are returning a list of devices and "auth" as the result, as if I didn't pass a trusted_device_token at all.

Example response from the auth endpoint:

array(2) { 
 ["response"]=> 
 array(4) { 
   ["result"]=> 
   string(5) "allow" 
   ["status"]=> 
   string(5) "allow" 
   ["status_msg"]=> 
   string(26) "Success. Logging you in..." 
   ["trusted_device_token"]=> 
   string(156) "<token returned here>" 
 } 
 ["stat"]=> 
 string(2) "OK" 
}

So in the next call to the preauth endpoint, I'm now passing "username" and "trusted_device_token" as the parameters, using the "trusted_device_token" value returned above.  The response from this preauth call is:

array(2) { 
 ["response"]=> 
 array(3) { 
   ["devices"]=> <device list hidden>
   ["result"]=> 
   string(4) "auth" 
   ["status_msg"]=> 
   string(17) "Account is active" 
 } 
 ["stat"]=> 
 string(2) "OK" 
}

Whereas I would expect "result" to be "allow" since I sent a valid trusted_device_token.  I'm at an unfortunate loss as to why this isn't working and don't want to bill the customer for more fruitless testing.

Labels:
0 Helpful
2 Replies 2

DuoKristina
Cisco Employee
Cisco Employee

‎05-28-2024 06:21 AM - edited ‎05-28-2024 08:32 AM

What's the effective remembered devices policy for your Auth API application?

If the trusted_device_token is present and the Auth API application has an effective policy that enables Remembered Devices for each browser-based application, return an "allow" response for the lifetime of the token as set by the Duo administrator in the policy.

ETA: Can I ask why you or the customer would choose to use Auth API instead of the Duo Web SDK/OIDC? Is the app you are adding Duo to not a browser app or a client capable of showing a web prompt in the system or an embedded browser?

Duo, not DUO.
0 Helpful

DuoKristina
Cisco Employee
Cisco Employee
In response to DuoKristina

‎05-28-2024 10:22 AM

Have connected with the support engineer for your open case. Your policies are set correctly, it's that the "Partner Auth API" integration doesn't permit the API remembered device. You can use the regular Auth API application type instead.

Duo, not DUO.
0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents