Expand description
HTTP Basic authentication with One-Time Password for EST enrollment.
RHELBU-3536 R7: EST clients can authenticate using an OTP presented
in the HTTP Basic Authorization header. The username field carries
the entity identifier; the password field carries the OTP value.
OTPs are generated via the admin API (POST /admin/otp/generate) and
stored in the configured backend (database or LDAP). Each OTP has:
- An entity-id (the device or service being enrolled)
- An expiry timestamp
- A maximum usage count (typically 1 for single-use)
- A current usage counter
§RFC 7617 compliance
The HTTP Basic authentication scheme follows RFC 7617:
- Section 2:
user-id:passwordencoding with UTF-8 support. - Section 2.1: null bytes are rejected for security.
- Section 2.2:
WWW-Authenticatechallenges includecharset="UTF-8".
Functions§
- try_
extract_ otp - Attempt to extract and validate HTTP Basic (OTP) credentials.