Plugin Developer

To enable a certain type of service for WaTTS, a corresponding plugin is needed. Sometimes there are even multiple plugins for the same type of service, e.g. due to different local policies.

The communication between WaTTS and the plugin is done by passing one argument to the script or sending it to stdin of the plugin and parsing the stdout of the script. If it will be passed as parameter or sent via stdin is configured automatically at startup. See Listing Supported Parameter / Supported Features / stdin.

Plugin Input

If stdin is enabled the parameter will be sent via stdin and when done an EOF (end of file) will be sent.

The parameter coming from the WaTTS is a base64url encoded json object.

The decoded json object has the following format:

{
    "watts_version": "1.0.0",
    "action": "request",
    "conf_params": {},
    "params": {},
    "cred_state": "undefined",
    "access_token":"opaque access token (needs to be enabled)",
    "user_info": {
        "family_name": "Mustermann",
        "gender": "male",
        "given_name": "Max",
        "iss": "https://issuer.example.com",
        "name": "Max Mustermann",
        "sub": "12345678"
    },
    "additional_logins":
        [
            {
                "user_info": {
                    "iss":"https://otherprovider.com",
                    "sub":"123sub456there",
                    "name":"Rumpelstiltskin"
                },
                "access_token":"access token of otherprovider (needs to be enabled)"
            }

        ],
    "watts_userid": "base64url encoded json object, containing subject and issuer"
}

The items of the object are:

Key

Description

watts_version

The version of WaTTS, e.g. can be used for a plugin to handle newer parameters

action

Which action to perform, this can be either request, revoke or parameter

conf_params

These are parameters that are set in the configuration file

params

These are parameters entered upon request

cred_state

This is only valid when revoking, it is the credential state returned when creating the credential

access_token

The access token from the user, this will only be passed if enabled at WaTTS.

user_info

The user info contains information about the user gathered using OpenId Connect

additional_logins

A list of objects, each at least containing 'user_info' with information about the user gathered at another provider, after requesting a redirection.

watts_userid

This is the dynamically generated unique id used within WaTTS for the current user. It is also a base64url encoded json object containing issuer and subject

Listing The Supported Parameter (action = parameter)

WaTTS requests the supported parameter of the plugin by setting the action to parameter. This is always passed as parameter on the command line, subsequent request will be sent via stdin, if supported by the plugin.

The expected result is:

{
    "result":"ok",
    "conf_params": [ {'name':'full_access', 'type':'boolean', 'default': False},
                     {'name':'state_prefix', 'type':'string', 'default':'WATTS_'},
                     {'name':'override_user_name', 'type':'boolean', 'default':False }
                   ],
    "request_params":
    [
        [
            {'key':'pub_key', 'name':'public key',
            'description':'the public key to upload to the service',
            'type':'textarea', 'mandatory':True}
        ],
        []
    ],
    "developer_email":"me@domain.com",
    "features": { "stdin" : True },
    "version":"the plugin version"
}

The result MUST be OK and the version should describe the version of your plugin so e.g. errors can be tracked. All entries are mandatory.

Version (version)

WaTTS expects a version to be present in the response so it can list the version for later debugging and helping the development of plugins.

Email of the developer/team (developer_email)

If this is present WaTTS expects it to be a vaild email address and, if configured, sends emails on invalid behaviour of the plugin to the developer.

Supported features (features)

This is a JSON object containing keys with additional information. The supported keys and the meaning/format of their value are listed in the table below.

Key

Description

Value (Default)

stdin

Tells WaTTS if the plugin supports passing the parameter via stdin.

boolean (False)

Config Parameter (conf_params)

Each config parameter consists of an json object with three key-value pairs:

name: the name of the parameter, MUST consists of only [a-z0-9_]
type: the datatype of the parameter, currently supported are boolean and string
default: the default value to use if not configured, please ensure safe defaults

Request Parameter Sets (request_params)

The supported request parameters are grouped into sets. A set is a group of parameters that belong together logically. At the web interface, a parameter set is shown in one dialog page, to switch between them press 'left' or 'right' in the carousel of sets.

The Advanced button at the web-interface is enabled if at least one non empty parameter set exists. The Request button is enabled if either the empty set exists (see example above), or a set exists with no mandatory parameters.

Each entry in a set is described with five key-value pairs:

key: a key used to pass the value, this is also the key to lookup the information when performing a request, MUST consist only of [a-z0-9_].
name: a short nice name, displayed to the user
description: a longer description, also shown to the user
type: the input type to use, currently only supported textarea
mandatory: either True or False, indicates whether this field MUST be filled

Performing a Request (action = request)

When the action is set to request, it means that a user or a service on a user's behalf wants to create a credential. The plugin should perform any necessary action to create the credential for the user and print a json object on stdout.

The expected format of the json object for a credential is:

{
    "result":"ok",
    "credential": [{"name":"some name", "type":"text", "value":"secret"}],
    "state":"state description"
}

The expected format of a request to perform an additional login is:

{
    "result":"oidc_login",
    "provider":"<id of provider>",
    "msg":"message to tell the user why an additional login is required"
}

please keep in mind that the user may deny the request.

In case of an error, the expected json is:

{
    "result":"error",
    "user_msg":"Sorry, you are not allowed to use this service",
    "log_msg":"user joe tried to access service and has been denied"
}

Key

Description

result

The result of the request, currently ok, oidc_login and error are supported

credential

A list of objects, each representing one part of the credentials. This will be shown to the user

state

A state to keep track of the credential; it MUST NOT contain sensitive information. This state is passed again to the plugin for revocation.

provider

The id of the provider to redirect to for an additional login

msg

a message to display to the user on a request to trigger an aditional login

user_msg

If the result is an error, this message will be shown to the user

log_msg

If the result is an error, this message will be logged

The entries in the credential object (part of the list in 'credential' above) are:

Key

Description

name

The name the user will see, e.g. username or password

type

The type of data, this will determine how it will be displayed. At the moment text and textfile are supported

rows

The number of rows for the textarea in case the type is textfile, else ignored

cols

The number of columns for the textarea when using textfile, else ignored

value

The value of the credential part, e.g. the password or the username itself

save_as

the name of the file, the value can be stored as. If this is set a download button appears.

Performing a Revoke (action = revoke)

When the action is set to revoke, the credential identified by the state should be invalidated or removed, depending on the type of service. In the SSH plugin, e.g., the created ssh-key is removed from the authorized keys. When performing a request, WaTTS expects the stdout to be a json object. In case of revoke, it may contain one of the two elements:

{
    "result":"ok"
}

or in case of an error:

{
    "result":"error",
    "user_msg":"Sorry, could not revoke the certificate",
    "log_msg":"internal error when executing command ...."
}

Key

Description

result

either ok or error, representing the result of the plugin

user_msg

If the result is an error, this message will be shown to the user

log_msg

If the result is an error, this message will be logged

Therefore, if only the result key is present in the object, WaTTS assumes that everything went fine, however, if the error key is present it assumes that something went bad and does not remove the credential state from its database.

PreviousWaTTS Developer NextRelying Service Provider (RSP) Guide

Last updated 6 years ago

Plugin Developer

To enable a certain type of service for WaTTS, a corresponding plugin is needed. Sometimes there are even multiple plugins for the same type of service, e.g. due to different local policies.

Plugin Input

If stdin is enabled the parameter will be sent via stdin and when done an EOF (end of file) will be sent.

The parameter coming from the WaTTS is a base64url encoded json object.

The decoded json object has the following format:

{
    "watts_version": "1.0.0",
    "action": "request",
    "conf_params": {},
    "params": {},
    "cred_state": "undefined",
    "access_token":"opaque access token (needs to be enabled)",
    "user_info": {
        "family_name": "Mustermann",
        "gender": "male",
        "given_name": "Max",
        "iss": "https://issuer.example.com",
        "name": "Max Mustermann",
        "sub": "12345678"
    },
    "additional_logins":
        [
            {
                "user_info": {
                    "iss":"https://otherprovider.com",
                    "sub":"123sub456there",
                    "name":"Rumpelstiltskin"
                },
                "access_token":"access token of otherprovider (needs to be enabled)"
            }

        ],
    "watts_userid": "base64url encoded json object, containing subject and issuer"
}

The items of the object are:

Key

Description

watts_version

The version of WaTTS, e.g. can be used for a plugin to handle newer parameters

action

Which action to perform, this can be either request, revoke or parameter

conf_params

These are parameters that are set in the configuration file

params

These are parameters entered upon request

cred_state

This is only valid when revoking, it is the credential state returned when creating the credential

access_token

The access token from the user, this will only be passed if enabled at WaTTS.

user_info

The user info contains information about the user gathered using OpenId Connect

additional_logins

A list of objects, each at least containing 'user_info' with information about the user gathered at another provider, after requesting a redirection.

watts_userid

This is the dynamically generated unique id used within WaTTS for the current user. It is also a base64url encoded json object containing issuer and subject

Listing The Supported Parameter (action = parameter)

The expected result is:

{
    "result":"ok",
    "conf_params": [ {'name':'full_access', 'type':'boolean', 'default': False},
                     {'name':'state_prefix', 'type':'string', 'default':'WATTS_'},
                     {'name':'override_user_name', 'type':'boolean', 'default':False }
                   ],
    "request_params":
    [
        [
            {'key':'pub_key', 'name':'public key',
            'description':'the public key to upload to the service',
            'type':'textarea', 'mandatory':True}
        ],
        []
    ],
    "developer_email":"me@domain.com",
    "features": { "stdin" : True },
    "version":"the plugin version"
}

The result MUST be OK and the version should describe the version of your plugin so e.g. errors can be tracked. All entries are mandatory.

Version (version)

WaTTS expects a version to be present in the response so it can list the version for later debugging and helping the development of plugins.

Email of the developer/team (developer_email)

If this is present WaTTS expects it to be a vaild email address and, if configured, sends emails on invalid behaviour of the plugin to the developer.

Supported features (features)

This is a JSON object containing keys with additional information. The supported keys and the meaning/format of their value are listed in the table below.

Key

Description

Value (Default)

stdin

Tells WaTTS if the plugin supports passing the parameter via stdin.

boolean (False)

Config Parameter (conf_params)

Each config parameter consists of an json object with three key-value pairs:

name: the name of the parameter, MUST consists of only [a-z0-9_]
type: the datatype of the parameter, currently supported are boolean and string
default: the default value to use if not configured, please ensure safe defaults

Request Parameter Sets (request_params)

Each entry in a set is described with five key-value pairs:

key: a key used to pass the value, this is also the key to lookup the information when performing a request, MUST consist only of [a-z0-9_].
name: a short nice name, displayed to the user
description: a longer description, also shown to the user
type: the input type to use, currently only supported textarea
mandatory: either True or False, indicates whether this field MUST be filled

Performing a Request (action = request)

The expected format of the json object for a credential is:

{
    "result":"ok",
    "credential": [{"name":"some name", "type":"text", "value":"secret"}],
    "state":"state description"
}

The expected format of a request to perform an additional login is:

{
    "result":"oidc_login",
    "provider":"<id of provider>",
    "msg":"message to tell the user why an additional login is required"
}

please keep in mind that the user may deny the request.

In case of an error, the expected json is:

{
    "result":"error",
    "user_msg":"Sorry, you are not allowed to use this service",
    "log_msg":"user joe tried to access service and has been denied"
}

Key

Description

result

The result of the request, currently ok, oidc_login and error are supported

credential

A list of objects, each representing one part of the credentials. This will be shown to the user

state

A state to keep track of the credential; it MUST NOT contain sensitive information. This state is passed again to the plugin for revocation.

provider

The id of the provider to redirect to for an additional login

msg

a message to display to the user on a request to trigger an aditional login

user_msg

If the result is an error, this message will be shown to the user

log_msg

If the result is an error, this message will be logged

The entries in the credential object (part of the list in 'credential' above) are:

Key

Description

name

The name the user will see, e.g. username or password

type

The type of data, this will determine how it will be displayed. At the moment text and textfile are supported

rows

The number of rows for the textarea in case the type is textfile, else ignored

cols

The number of columns for the textarea when using textfile, else ignored

value

The value of the credential part, e.g. the password or the username itself

save_as

the name of the file, the value can be stored as. If this is set a download button appears.

Performing a Revoke (action = revoke)

{
    "result":"ok"
}

or in case of an error:

{
    "result":"error",
    "user_msg":"Sorry, could not revoke the certificate",
    "log_msg":"internal error when executing command ...."
}

Key

Description

result

either ok or error, representing the result of the plugin

user_msg

If the result is an error, this message will be shown to the user

log_msg

If the result is an error, this message will be logged

PreviousWaTTS Developer NextRelying Service Provider (RSP) Guide

Last updated 6 years ago