Elytron - OTP seed attribute in ldap-realm is Base64 encoded ------------------------------------------------------------ Key: WFCORE-3068 URL: https://issues.jboss.org/browse/WFCORE-3068 Project: WildFly Core Issue Type: Bug Components: Security Affects Versions: 3.0.0.Beta28 Reporter: Jan Kalina Assignee: Jan Kalina Priority: Critical The {{ldap-realm.otp-credential-mapper.seed-from}} attribute in Elytron subsystem refers to an LDAP attribute which stores an OTP seed. The LDAP-attribute value currently has to be Base64 encoded, which seems to be wrong. The problem is in the Elytron class {{org.wildfly.security.auth.realm.ldap.OtpCredentialLoader}} which handles the encoding/decoding. The [OTP RFC 2289|https://tools.ietf.org/html/rfc2289] says {noformat} The seed MUST consist of purely alphanumeric characters and MUST be of one to 16 characters in length. The seed is a string of characters that MUST not contain any blanks and SHOULD consist of strictly alphanumeric characters from the ISO-646 Invariant Code Set. The seed MUST be case insensitive and MUST be internally converted to lower case before it is processed. {noformat} I.e. There is no need to Base64-encode the String bytes. *Suggested fix* Don't encode/decode the LDAP attribute value.