[OTP] TOTP / RFC-6238
by Daniel Manzke
Hey guys,
after talking about the RFCs and so, I couldn't stop to read them. ;)
There I stumbled about the test vectors. They are not working with the
aerogear-implementation, because of the Base32 encoding which is used by
the google authenticator.
The used secret in the rfc is "1234567890", which is not valid google,
because Base32 uses ABCDEFGHIJKLMNOPQRSTUVWXYZ234567.
vectors:
http://tools.ietf.org/html/rfc6238#appendix-B
Using the "reference implementation", which is provided in document the
generated token is different from aerogear one.
Is the plan to support the RFC or Google? (or better both? :))
--
Viele Grüße/Best Regards
Daniel Manzke
12 years
[OTP] Mobile-OTP / OTP for .NET
by Daniel Manzke
Hey guys,
after 140 chars were not enough for matthias and bruno I decided to
subscribe to the list. ;)
1:
After working through aerogear-otp-java I took some hours to port it .NET.
If you are interested I would like to contribute it after cleanup.
Are you interested? :)
2:
Due to the fact that we are using Mobile-OTP in hour company I also took
some time and have implemented it.
PoC is working.
Pull-Request will be submitted if ready.
Question: I saw that the Clock-Implementation is returning a static value
for current time. So the token will be the same every time we call
Totp.now().
Is it really what developers are expecting?
If I call now, I expect the time it was called not created. :)
Why not just use System.currentMilliSeconds()? It is UTC. ;)
Bye,
Daniel
12 years
Re: [aerogear-dev] OTP download: links, sections - or what else ?
by Deepali Khushraj
Here's one suggestion for organizing docs, including the one on OTP.
It would be good if the developer could easily find relevant docs based on the mobile app type or backend technology being used. All domain specific docs could go in a common area.
Attached is a snapshot of what I mean.
>
> On Dec 17, 2012, at 2:45 PM, Matthias Wessendorf <matzew(a)apache.org> wrote:
>
>> On Mon, Dec 17, 2012 at 8:39 PM, Kris Borchers <kris(a)redhat.com> wrote:
>>> I would say no new section on either page. The security section on both pages could be divided internally to server and client sections. Even then, I would only want to see a single download of all
>>> client stuff or all server stuff on the home page.
>>
>> You mean a bundle of all things ? E.g. for client you get ALL of iOS,
>> all of Android, all of JS - in one bundle?
>> If so, feels weird
>>
>>> The download page could have each individual thing listed I guess since that is all that's on that page.
>>
>> Being more concrete:
>> http://aerogear.org/download/
>>
>> A few options I can think of (I am not a designer, nor an ergonomics expert):
>> * add the OTP to the "AeroGear Security"
>> * add OTP to the platforms (e.g. OTP.js to JS, otp-ios to iOS etc)
>>
>> -M
>>
>>>
>>> On Dec 17, 2012, at 1:34 PM, Matthias Wessendorf <matzew(a)apache.org> wrote:
>>>
>>>> Hi,
>>>>
>>>> with the new OTP bits, we need to add them to the downloads.
>>>>
>>>> Here are two thoguhts:
>>>>
>>>> * Downloads: (Simple category, hopefully)
>>>>
>>>> http://aerogear.org/download/ contains a "AeroGear Security" section -
>>>> I am fine in adding OTP (iOS, Android/Java, JS) to there.
>>>>
>>>> * Homepage: (not sure if that's simple)
>>>>
>>>> http://aerogear.org I don't mind adding a new section "AeroGear
>>>> Security" (or "Mobile Security" ) on the homepage - but... perhaps
>>>> that's a bit too much?
>>>> Not sure.
>>>>
>>>>
>>>> Let me know where we should put the OTP download links
>>>>
>>>>
>>>> Greetings,
>>>> Matthias
>>>>
>>>> --
>>>> Matthias Wessendorf
>>>>
>>>> blog: http://matthiaswessendorf.wordpress.com/
>>>> sessions: http://www.slideshare.net/mwessendorf
>>>> twitter: http://twitter.com/mwessendorf
>>>> _______________________________________________
>>>> aerogear-dev mailing list
>>>> aerogear-dev(a)lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>>
>>>
>>> _______________________________________________
>>> aerogear-dev mailing list
>>> aerogear-dev(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>
>>
>>
>> --
>> Matthias Wessendorf
>>
>> blog: http://matthiaswessendorf.wordpress.com/
>> sessions: http://www.slideshare.net/mwessendorf
>> twitter: http://twitter.com/mwessendorf
>> _______________________________________________
>> aerogear-dev mailing list
>> aerogear-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
12 years
Meeting Notes
by Douglas Campos
Team Meeting
1) Release
a) JS going today probably
b) individual blogs
c) java bits
- quickstarts are staged already
- android
- controller
- security
d) iOS bits
- already tagged
- otp will be tagged soon(ish)
- CoreData:
- Not sure if I want to have the current plugin "distributed" via CocoaPods / homepage - YET.....
- will be held to CR1
- aerogear-ios M2 -> Tag is ready; Downloadable via CocoaPods
- aerogear-todo-ios, same; TAG is ready and uses the above
- Updated download URLs for aerogear-ios + the TODO app
2) Quickstart deployed version bug
- will be fixed after the meeting
3) Android
Prep central release
Update JavaDoc on site
Scan through docs, make sure how to guides are accurate
Make some kind of blog post
Put TODO app in Play Store?[1.0.Final]
Shuffle JIRA's around
( Add SQLLite Store to 1.0 [hopefully], push ContentProviderStore to > 1.0 )
(Prototyping)
Matthias: not sure if that needs to be really in 1.0 (a bit ago we decided to not focus on DM for 1.0.0)
Right, but it seemed like a good idea/low hanging fruit.
4) Misc
- Planet AeroGear
- January
5) Release announcement
- https://github.com/aerogear/aerogear.org/pull/19
- every subproject will pitch in their announcement part
- qmx will take care of the image/initial text
-- qmx
12 years
AG-Controller and Aerogear.js CORS interaction
by Lucas Holmquist
CORS with Aerogear.js and AG-Controller
from this gist:https://gist.github.com/4268092
2 things.
So when using aerogear.js to make a cross domain call,
var pipeline = AeroGear.Pipeline();
cors = pipeline.add( {
name: "cors",
settings: {
baseURL: "http://localhost:8080/aerogear-controller-demo/",
endpoint: "login/"
}
});
pipeline.pipes.cors.read({
success: function( data, xhr, thing1 ) {
console.log( data );
},
error: function( error ) {
console.log( error );
}
});
the initial OPTIONS request looks similar to this. Request URL:http://localhost:8080/aerogear-controller-demo/login/
Accept:*/*
Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.3
Accept-Encoding:gzip,deflate,sdch
Accept-Language:en-US,en;q=0.8
Access-Control-Request-Headers:origin, content-type, accept
Access-Control-Request-Method:GET
Cache-Control:max-age=0
Connection:keep-alive
Host:localhost:8080
Origin:http://localhost:8000
Pragma:no-cache
Referer:http://localhost:8000/app/cors.html
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.95 Safari/537.11
I just copy and pasted this from chrome dev tools.
Here is what the CORS config looks like in the controller demo, for those who don't want to go look it up
@Produces
public CorsConfiguration demoConfig() {
return CorsConfig.enableCorsSupport()
.anyOrigin()
.enableCookies()
.maxAge(20)
.enableAllRequestMethods()
.build();
}
So the above request will fail since it has more headers than just "origin". This brings me to my first question:
How do i specify more headers in this config object?, i guess in this case it would be origin, content-type, and accept
Now to the second part
I modified my local aerogear-controller to add these other headers in by default, and then ran the above request again.
This time i get the same OPTIONS request but then i get a cross domain error with the follow up GET that the browser makes
Request URL:http://localhost:8080/aerogear-controller-demo/login/
Request Headersview source
Accept:application/json, text/javascript, */*; q=0.01
Cache-Control:no-cache
Content-Type:application/json
Origin:http://localhost:8000
Pragma:no-cache
Referer:http://localhost:8000/app/cors.html
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.95 Safari/537.11
And i don't get any errors on the server log, so not really sure whats going on here
This is the repo i was using to play around with https://github.com/lholmquist/WoWAerogear checkout the cors.html and cors.js page
-Luke
12 years
