Net::Duo::Auth

(Perl interface for the Duo Auth API)

SYNOPSIS

    my $duo = Net::Duo::Auth->new({ key_file => '/path/to/keys.json' });
    my $timestamp = $duo->check;

REQUIREMENTS

Perl 5.14 or later and the modules HTTP::Request and HTTP::Response (part of HTTP::Message), JSON, LWP (also known as libwww-perl), Perl6::Slurp, Sub::Install, and URI::Escape (part of URI), all of which are available from CPAN.

DESCRIPTION

Net::Duo::Auth is an implementation of the Duo Auth REST API for Perl. Method calls correspond to endpoints in the REST API. Its goal is to provide a native, natural interface for all Duo operations in the API from inside Perl, while abstracting away as many details of the API as can be reasonably handled automatically.

Currently, only a tiny number of available methods are implemented.

For calls that return complex data structures, the return from the call will generally be an object in the Net::Duo::Auth namespace. These objects all have methods matching the name of the field in the Duo API documentation that returns that field value. Where it makes sense, there will also be a method with the same name but with set_ prepended that changes that value. No changes are made to the Duo record itself until the commit() method is called on the object, which will make the underlying Duo API call to update the data.

On failure, all methods throw a Net::Duo::Exception object. This can be interpolated into a string for a simple error message, or inspected with method calls for more details. This is also true of all methods in all objects in the Net::Duo namespace.

CLASS METHODS

new(ARGS)

Create a new Net::Duo::Auth object, which is used for all subsequent calls. This constructor is inherited from Net::Duo. See Net::Duo for documentation of the possible arguments.

INSTANCE METHODS

auth(ARGS)

Perform a Duo synchronous authentication.

The user will be authenticated given the factor and additional information provided in ARGS. The call will not return until the user has authenticated or the call has failed for some reason. To do long-polling instead, see auth_async().

ARGS should be a reference to a hash. The following keys may always be present:

user_id

The Duo ID of the user to authenticate. Either this or username, but only one or the other, must be specified.

username

The username of the user to authenticate. Either this or username, but only one or the other, must be specified.

factor

The authentication factor to use, chosen from push, passcode, or phone, or auto to use whichever of push or phone appears best for this user's devices according to Duo. Required.

ipaddr

The IP address of the user, used for logging and to support sending an allow response without further verification if the user is coming from a trusted network as configured in the integration.

Additional keys may be present depending on factor. For a factor value of push:

device

The ID of the device to which to send the push notification, or auto to send to the first push-capable device. Optional, defaulting to auto.

type

This string is displayed in the Duo Mobile app before the word request. The default is Login, so the phrase Login request appears in the push notification text and on the request details screen. You may want to specify Transaction, Transfer, etc. Optional.

display_username

String to display in Duo Mobile in place of the user's Duo username. Optional.

pushinfo

A reference to a list of additional key/value pairs to display to the user as part of the authentication request. For example:

    { pushinfo => [from => 'login portal', domain => 'example.com'] }

This is a list rather than a hash so that it preserves the order of arguments, but there should always be an even number of members in the list.

For a factor value of passcode:

passcode

The passcode to validate. Required.

For a factor value of phone:

phone

The ID of the device to call, or auto to call the first available device. Optional and defaults to auto.

In a scalar context, this method returns true if the user was successfully authenticated and false if authentication failed for any reason. In a list context, the same status argument is returned as the first member of the list, and the second member of the list will be a reference to a hash of additional data. Possible keys are:

status

String detailing the progress or outcome of the authentication attempt.

status_msg

A string describing the result of the authentication attempt. If the authentication attempt was denied, it may identify a reason. This string is intended for display to the user.

trusted_device_token

If the trusted devices option is enabled for this account, returns a token for a trusted device that can later be passed to the Duo preauth endpoint.

If you are looking for the Duo sms factor type, use the send_sms_passcodes() method instead.

auth_async(ARGS)

Perform a Duo asynchronous authentication.

An authentication attempt will be started for a user according to the information provided in ARGS. The return value from this call will be a Net::Duo::Admin::Async object, which provides a status() method, to get the status of the authentication, and an id() method, to recover the underlying transaction ID. This approach allows the application to get the authentication status at each stage, instead of receiving no information until the authentication has succeeded or failed.

ARGS should be a reference to a hash with the same parameters as were specified for the "auth()" method.

check()

Calls the Duo check endpoint. This can be used as a simple check that all of the integration arguments are correct and the client can authenticate to the Duo authentication API. On success, it returns the current time on the Duo server in seconds since UNIX epoch.

send_sms_passcodes(USERNAME[, DEVICE])

Send a new batch of passcodes to the specified user via SMS. By default, the passcodes will be sent to the first SMS-capable device (the Duo auto behavior). The optional second argument specifies a device ID to which to send the passcodes. Any failure will result in an exception.

AUTHOR

Russ Allbery <rra@cpan.org>

COPYRIGHT AND LICENSE

Copyright 2014 The Board of Trustees of the Leland Stanford Junior University

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

SEE ALSO

Duo Auth API

This module is part of the Net::Duo distribution. The current version of Net::Duo is available from CPAN, or directly from its web site at <http://www.eyrie.org/~eagle/software/net-duo/>.

Last modified and spun 2015-08-16