05-23-2024 07:03 AM
I'm built a PHP class for the Duo Auth API, however the "trusted_device_token" is not working for me. A policy is configured for the application and calls to the "auth" endpoint are returning a trusted_device_token in the response. However, any calls to the preauth endpoint that include the trusted_device_token are returning a list of devices and "auth" as the result, as if I didn't pass a trusted_device_token at all.
Example response from the auth endpoint:
array(2) {
["response"]=>
array(4) {
["result"]=>
string(5) "allow"
["status"]=>
string(5) "allow"
["status_msg"]=>
string(26) "Success. Logging you in..."
["trusted_device_token"]=>
string(156) "<token returned here>"
}
["stat"]=>
string(2) "OK"
}
So in the next call to the preauth endpoint, I'm now passing "username" and "trusted_device_token" as the parameters, using the "trusted_device_token" value returned above. The response from this preauth call is:
array(2) {
["response"]=>
array(3) {
["devices"]=> <device list hidden>
["result"]=>
string(4) "auth"
["status_msg"]=>
string(17) "Account is active"
}
["stat"]=>
string(2) "OK"
}
Whereas I would expect "result" to be "allow" since I sent a valid trusted_device_token. I'm at an unfortunate loss as to why this isn't working and don't want to bill the customer for more fruitless testing.
05-28-2024 06:21 AM - edited 05-28-2024 08:32 AM
What's the effective remembered devices policy for your Auth API application?
If the trusted_device_token
is present and the Auth API application has an effective policy that enables Remembered Devices for each browser-based application, return an "allow" response for the lifetime of the token as set by the Duo administrator in the policy.
ETA: Can I ask why you or the customer would choose to use Auth API instead of the Duo Web SDK/OIDC? Is the app you are adding Duo to not a browser app or a client capable of showing a web prompt in the system or an embedded browser?
05-28-2024 10:22 AM
Have connected with the support engineer for your open case. Your policies are set correctly, it's that the "Partner Auth API" integration doesn't permit the API remembered device. You can use the regular Auth API application type instead.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide