[keycloak-dev] Support for arbitrary byte arrays as HOTP keys
Mitya
mitya at cargosoft.ru
Mon Jun 13 14:14:25 EDT 2016
The current KeyCloak HOTP implementation assumes that a HOTP key (aka
seed, aka initialization vector) is stored as string, and thus contains
only printable characters. However, the HOTP standard (RFC 4226)
doesn't impose any restrictions on key material; any arbitrary byte
array is acceptable.
Moreover, many hardware HOTP tokens are pre-programmed at the factory,
and do contain non-printable seeds. Even though KeyCloak doesn't
support hardware tokens out of the box, developers could implement it
by extending KeyCloak and employing existing algorithms. Unfortunately,
the existing convention (to store HOTP seeds as printable strings)
makes this impossible.
For the "password" credential type, the "value" field is already stored
as Base64. I think "hotp" credentials could also be stored as Base64 or
hex; another option would be to store the "value" field as BLOB (like
it's already done for the "salt" field).
I think I could produce a PR for this, I only need to know which
scenario is preferred.
Cheers,
Mitya
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160613/25660307/attachment.html
More information about the keycloak-dev
mailing list