cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1029
Views
0
Helpful
8
Replies

API call to verify authentication

aghanchi
Level 1
Level 1

Is there an API call I can make to confirm if the username for a particular set of Client ID and Client Secret is currently Duo-authenticated (authentication not expired)? Taken from the C# example project, the RedirectPermanent(promptUri) call actually takes the user to the prompt page of the duo api site. Is there a call that I can make just to make sure that the username is already duo-authenticated and I don't need to make the RedirectPermanent(promptUri) call again?

 

8 Replies 8

DuoKristina
Cisco Employee
Cisco Employee

By design you have to send the user back to the Duo service to verify not just that they have a valid remembered device authentication session, but also to complete the device access and security posture checks required by the effective Duo policy for that application and user. Like, they may have a valid authentication session, but their Duo admin may have changed the minimum OS patch version required to access anything, and sending the user back to Duo performs that check and blocks the user from access until they update their OS.

Duo, not DUO.

Thank you, DuoKristina. So, what you are stating is that I should be sending them back to the Universal Prompt?

I had inquired about the API call because I am encountering an error on the api page when the Duo authentication is still effective (screen-shot below). The only way to get rid of this error is to clear the browser cache. I have debugged my code, and strangely I get this error even when I am not redirecting the user to the universal prompt page. It is some kind of cookie that is taking the user directly to the prompt page and then erroring out. How do I get red of this error? This happens when the application session has ended and I am having the user to re-authenticate with Duo after they have restarted the web application.

aghanchi_0-1694457533444.png

 

Are you sending a new authorization request when you have the user "re-authenticate" or are you replaying the initial authorization?

Duo, not DUO.

aghanchi
Level 1
Level 1

Kristina, I am not even getting to the page where I redirect the user to the Universal Prompt. It is hard to explain, so I have created this video where I am stepping through the application. It is an ASP.net Webforms application where I have introduced Razor pages just to make the Universal Prompt work. 

Untitled.mp4

To confirm if a username for a particular set of Client ID and Client Secret is currently Duo-authenticated (authentication not expired), you can utilize Duo's API. You should consider raposo  using the GET /auth/v2/status endpoint. This endpoint allows you to check the status of an authentication and see if it's still valid.

You would typically make a GET request to this endpoint with the appropriate parameters to check the status of the authentication for the given username. If it returns a successful response, it means the authentication is still valid, and you may not need to prompt the user again with RedirectPermanent(promptUri).

Hi Andrew. Thank you for the response. I have been trying to make this sample API project work on Duo Githib. It is for C# language. I am using the right set of ikey, skey parameters, but still getting validation error. I will be glad to look into Reposo. But I wish the Duo sample project had worked.

https://github.com/duosecurity/duo_api_csharp

Oh, this might be the confusion.... the https://github.com/duosecurity/duo_api_csharp project is an implementation of the Duo Auth API which DOES NOT support Duo Universal Prompt (or the web-based, iframe, traditional Duo Prompt either fwiw).

The https://github.com/duosecurity/duo_universal_csharp project is the Web SDK implementation of Duo's OIDC-based API which DOES support Duo Universal Prompt.

Are you just trying the wrong project for what you want to test?

Duo, not DUO.

Kristina, thanks for the clarification. If thats the case, then I will stop pursuing the API solution as it doesnt work with the Universal prompt. So, I am back to square one trying to make the Universal Prompt work using the Web SDK solution. I was actually able to make the authentication work for my ASP.Net Webforms application, but as I have stated earlier, the authentication fails with an error if I try to reauthenticate a user. to avoid this reauthentication, I was looking into the API solution so that using the API I can check in advance if there is a need to reauthenticate a particular user using the regular SDK route. If you have not already done so, please watch the video I have created that demonstrates the lead up to the error page. 

Thanks.

Quick Links