What Is The Token URL? | OpenVPN Access Server (2024)

Table of Contents
Introduction Access Server token URL Supported software for client import process Manually download a profile using a token URL Creating a token URL in the Admin Web UI Manage token URLs on CLI Troubleshooting AUTH ERROR: token not found in DB ERROR: NEED_AUTOLOGIN — user lacks autologin privilege FAQs

Introduction

A new feature introduced with Access Server 2.11 is the token URL. It is a method of providing a connection profile to a user’s OpenVPN client. This document provides details and some use cases.

Access Server token URL

A token URL contains an authentication token valid for a specific time and/or a number of usages and grants access to a connection profile. Accessing this token URL triggers the OpenVPN Connect VPN client to download and import the connection profile. The token URL has these characteristics:

  1. An HTTPS URL with an authentication token for a connection profile.
  2. The profile can be of user-locked, auto-login, or server-locked type.
  3. A number of authentication token usages (defaults to 1 use).
  4. Authentication token expiration time (defaults to 1 hour).
  5. Prefixed with openvpn://import-profile/ to trigger client import process.

Supported software for client import process

When a token URL with openvpn://import-profile/ prefix is opened on a system with a supported OpenVPN client program installed, the user is offered the option to import the connection profile into the OpenVPN client. You need Access Server 2.11.0 or newer and OpenVPN Connect 3.3.6 or newer for this feature.

The process looks like this:

  1. The user has OpenVPN Connect v3.3.6 or newer.
  2. They click or open the token URL.
  3. The browser asks to open OpenVPN Connect, and they click OK.
  4. OpenVPN Connect asks to import the profile, and they click OK.
  5. The connection profile can now be used in OpenVPN Connect.

Note: If your VPN client doesn’t support client import, you can still download and import the connection profile manually, as described below.

Manually download a profile using a token URL

You can download the connection profile using just the HTTPS URL without the openvpn://import-profile/ URL prefix. You can send such a URL to a user without needing to send username and password credentials. Opening the URL downloads the connection profile to the user’s device, and the user can import it into an OpenVPN client.

To manually download a profile with the token URL:

  1. Create the token URL on the Access Server using either the Admin Web UI or CLI.
  2. Copy the URL and remove the ‘openvpn://import-profile/’ prefix.
  3. Use the resulting ‘https://’ URL to download the profile like any normal file.
  4. Import the resulting .ovpn file into your VPN client.

Creating a token URL in the Admin Web UI

Follow these steps to create a token URL for an Access Server user:

  1. Sign in to your Admin Web UI.
  2. Click User Management > User Profiles.
  3. Click New Token URL next to the desired user.
  4. Select the profile type (Autologin is not available without permissions), the length of time the token is valid in hours, and click Create Token Download URL.
  5. Copy the generated token URL and provide it to your user.

Manage token URLs on CLI

With the following commands, you can manage token URLs from the command line interface (CLI) with the following commands. Ensure you sign in to your Access Server with root privileges and run them from the /usr/local/openvpn_as/scripts/ directory.

See Also
What is a token code and how do I obtain it? | FAQ | Bloomberg Professional ServicesToken Based Authentication Made EasyUltimate Guide to Token-based AuthenticationWhat Is an Authentication Token? | Fortinet

The following provides commands for user, auto-login, and server-locked profiles. Refer to Understanding connection profiles on OpenVPN Access Server to read about the differences.

Generate a token URL to get a user profile:

./sacli --user <USER> AddProfileToken

The command adds a new token and provides the URL to download the profile, for example:

Added token, import URL openvpn://import-profile/https://123.456.78.90/rest/GetProfileViaToken?token=VKIn2qMCyGHgOjBVstqbh1foSNnsUBhK

When you paste the token URL into a browser, it pops up a message to open OpenVPN Connect. OpenVPN Connect confirms you want to import a profile from the provided domain. When confirmed, it imports the profile for your user.

Generate a token URL to get an auto-login user profile:

Run the appropriate command for your Access Server version.

Command for Access Server 2.12 and newer:

./sacli --user <USER> --profile_type="autologin" AddProfileToken

Command for Access Server 2.11.x and older:

./sacli --user <USER> --token_profile="autologin" AddProfileToken

If the user has auto-login permissions, the command adds a new token and provides the URL to download the profile.

See Also
IBM Cloud Docs

If the user doesn’t have auto-login permissions, the command returns an error message, “need autologin”.

Generate a token URL to get a server-locked profile:

Run the appropriate command for your Access Server version.

Command for Access Server 2.12 and newer:

./sacli --user <USER> --profile_type="server-locked" AddProfileToken

Command for Access Server 2.11.x and older:

./sacli --user <USER> --token_profile="server-locked" AddProfileToken

The command adds a new token and provides the URL to download the server-locked profile.

Generate a token URL with a specific expiration time:

./sacli --user <USER> --token_expire="1200" AddProfileToken

The command adds a new token with an expiration of 1200 minutes from creation and provides the URL to download the profile.

If a user tries to enter the URL in their browser after the expiration, they will still be prompted by the browser to open OpenVPN Connect and import the profile but then receive an error. You can find an error message in your log database that the token isn’t found in the database.

Generate a token URL with more than one usage:

./sacli --user <USER> --token_usage_count="3" AddProfileToken

The command adds a new token with three allowable usages and provides the URL to download the profile.

Each time a user downloads a profile with the provided URL, the usage number counts down until it reaches zero, and you can no longer use the token to download a profile.

List the current profile tokens:

sacli ListProfileTokens

You should see any newly generated tokens in the list. The list includes the token, type, usages, expiration, and username — only currently valid tokens display. Once a token expires, you must issue a new token, and the expired token won’t be in the list anymore.

Delete a token URL:

For the following command, you must copy the generated token from the list of current profile tokens and paste it as the <token>.

./sacli --id <token> DeleteProfileToken

Troubleshooting

AUTH ERROR: token not found in DB

If you try to use a token URL after it’s expired, you’ll receive an auth error message that the token isn’t in the database. Once a token URL expires, it’s no longer saved in ListPofileTokens.

ERROR: NEED_AUTOLOGIN — user lacks autologin privilege

You can’t generate an auto-login profile for a user if they don’t have the privilege. To grant that, sign in to the Admin Web UI, click User Management > User Permissions, and click Allow Autologin for the user. Ensure you save and update the running server.

What Is The Token URL? | OpenVPN Access Server (2024)

FAQs

What Is The Token URL? | OpenVPN Access Server? ›

A token URL contains an authentication token valid for a specific time and/or a number of usages and grants access to a connection profile. Accessing this token URL triggers the OpenVPN Connect VPN client to download and import the connection profile.

Read On
What is an access token URL? ›

Updated: 02/14/2023 - 11:23. Time to read: 3 minutes. An access token is a tiny piece of code that contains a large amount of data. Information about the user, permissions, groups, and timeframes is embedded within one token that passes from a server to a user's device. Plenty of websites use access tokens.

Discover More Details
What is a token service URL? ›

The token service is at a URL such as "http://localhost/arcgis/tokens". Once you know the token service URL, you can request a token, assuming you have a valid user name and password for the ArcGIS Server instance. You can use the WebRequest class to make a request for the token.

Continue Reading
What is the access token URL for Servicenow? ›

Obtaining the Access and Refresh Token using Postman

Set the REST Method to "POST", and the Request URL to "https://<instance_name>.service-now.com/oauth_token.do".

See Details
How to fix OpenVPN user authentication failed? ›

Common authentication errors and suggested solutions
  1. Sign in to the Admin Web UI.
  2. Click User Management > User Permissions.
  3. Click More Settings for the user.
  4. Enter a password in the Password field.
  5. Click Save Settings and Update Running Server.

Find Out More
Where do I find my access token? ›

You can find this value on the application's settings tab. To learn more about available application authentication methods, read Application Credentials. The audience for the token, which is your API.

Tell Me More
How can I get my token on access? ›

  1. Step1: Provide a duly signed instruction authorizing the request.
  2. Step2: Provide a valid ID card - Nigerian Driver's License, National ID card, NIMC, Voter's Card, International Passport.
  3. Step1: Download, fill and sign the token request form.

Show Me More
What is my token address? ›

On the homepage of MetaMask Extension, under the 'Tokens' tab, click on the token whose contract information you want. Then, click on the vertical three dots menu and select 'View asset in explorer'. This action will take you to the token's contract address on the active network.

Explore More
How to send access token to server? ›

Sending an access token in a request

To do this, the app sends the access token in the request as an Authorization HTTP header. For example: Apigee will verify that the access token presented is valid, and then grant access to the API, returning the response to the app that made the request.

Continue Reading
What is the URL of the Secure token Service? ›

By default, AWS Security Token Service (AWS STS) is available as a global service, and all AWS STS requests go to a single endpoint at https://sts.amazonaws.com .

Show Me More

How to get the token URL? ›

To do so, send a POST request to the OAuth2 Token URL: https://<server>/Panopto/oauth2/connect/token. The post request should be sent with a content type of x-www-form-urlencoded and include the following parameters: grant_type: The method you are using to get a token.

Read The Full Story
What does token mean in a URL? ›

A token URL contains an authentication token valid for a specific time and/or a number of usages and grants access to a connection profile.

See Details
What is the difference between authorization URL and token URL? ›

Auth URL - The endpoint for the API provider authorization server, to retrieve the auth code. Access Token URL - The provider's authentication server, to exchange an authorization code for an access token. Client ID - The ID for your client application registered with the API provider.

Get More Info Here
Why is my VPN saying authentication failed? ›

What is an Authentication Failure error and why does it appear? This error message is thrown by the OpenVPN protocol and can mean one of two things: The credentials are incorrect, caused for example by using the wrong set of credentials, a typo when entering your username and password, a recent password change; or.

Continue Reading
Why is OpenVPN not connecting? ›

Security or firewall settings could be blocking it. By default, Access Server requires three ports to be reachable: TCP 443, TCP 943, and UDP 1194. Check that the port is correct. Make sure you're not trying an incorrect port.

View More
What are the authentication methods for OpenVPN access server? ›

With Access Server you can use the authentication system – or systems – you prefer.
  1. Local Authentication. ...
  2. PAM Authentication. ...
  3. LDAP Authentication. ...
  4. RADIUS Authentication. ...
  5. SAML Authentication. ...
  6. Custom Authentication. ...
  7. Simultaneous Auth Systems. ...
  8. TOTP Multi-factor Authentication.

View Details
What is an example of an access token? ›

For example, if your user authenticates using Facebook, the access token issued by Facebook can be used to call the Facebook Graph API. These tokens are controlled by the IdP and can be issued in any format.

See More
What is an access URL? ›

An access URL is used with AWS applications and services, such as Amazon WorkDocs, to reach a login page that is associated with your directory. The URL must be unique globally.

Learn More
How to get up access token? ›

  1. Go to https://api.up.com.au (or tap the Personal Access Token button in the top right) in a web browser. This must be done on a tablet or computer.
  2. Open the Up app on your mobile, swipe right and select "Scan QR Code".
  3. Scan the QR code displayed on the webpage.
  4. Presto! You now have a Personal Access Token.

Discover More Details
Top Articles
How Can I Make Money From Forex Trading - Religare Online
Does Having Two Credit Cards Help Build Credit Faster? | Bankrate
Design215 Word Pattern Finder
Wells Fargo Careers Log In
Geodis Logistic Joliet/Topco
Comcast Xfinity Outage in Kipton, Ohio
Tx Rrc Drilling Permit Query
David Packouz Girlfriend
Rochester Ny Missed Connections
Dark Souls 2 Soft Cap
Trini Sandwich Crossword Clue
Dallas’ 10 Best Dressed Women Turn Out for Crystal Charity Ball Event at Neiman Marcus
Classic Lotto Payout Calculator
Blackwolf Run Pro Shop
Cyndaquil Gen 4 Learnset
3S Bivy Cover 2D Gen
Whitefish Bay Calendar
Amazing deals for Abercrombie & Fitch Co. on Goodshop!
ABCproxy | World-Leading Provider of Residential IP Proxies
Beverage Lyons Funeral Home Obituaries
Dallas Mavericks 110-120 Golden State Warriors: Thompson leads Warriors to Finals, summary score, stats, highlights | Game 5 Western Conference Finals
Ups Drop Off Newton Ks
Celina Powell Lil Meech Video: A Controversial Encounter Shakes Social Media - Video Reddit Trend
Hesburgh Library Catalog
Hdmovie2 Sbs
Ocala Craigslist Com
Mjc Financial Aid Phone Number
Obituaries, 2001 | El Paso County, TXGenWeb
Issue Monday, September 23, 2024
The Bold and the Beautiful
Ravens 24X7 Forum
Landing Page Winn Dixie
Spy School Secrets - Canada's History
Myhrconnect Kp
Here’s how you can get a foot detox at home!
Darrell Waltrip Off Road Center
Uhaul Park Merced
Consume Oakbrook Terrace Menu
AP Microeconomics Score Calculator for 2023
Shih Tzu dogs for sale in Ireland
Alpha Asher Chapter 130
Albertville Memorial Funeral Home Obituaries
Taylor University Baseball Roster
My Locker Ausd
Studentvue Calexico
Best Suv In 2010
Walmart Careers Stocker
25 Hotels TRULY CLOSEST to Woollett Aquatics Center, Irvine, CA
How to Find Mugshots: 11 Steps (with Pictures) - wikiHow
2000 Ford F-150 for sale - Scottsdale, AZ - craigslist
Online TikTok Voice Generator | Accurate & Realistic
Dcuo Wiki
Latest Posts
Crypto Taxes in the USA: A Guide for 2024
What is a Sweep Account?
Article information

Author: Ms. Lucile Johns

Last Updated:

Views: 5933

Rating: 4 / 5 (61 voted)

Reviews: 84% of readers found this page helpful

Author information

Name: Ms. Lucile Johns

Birthday: 1999-11-16

Address: Suite 237 56046 Walsh Coves, West Enid, VT 46557

Phone: +59115435987187

Job: Education Supervisor

Hobby: Genealogy, Stone skipping, Skydiving, Nordic skating, Couponing, Coloring, Gardening

Introduction: My name is Ms. Lucile Johns, I am a successful, friendly, friendly, homely, adventurous, handsome, delightful person who loves writing and wants to share my knowledge and understanding with you.