[keycloak-dev] Support for arbitrary byte arrays as HOTP keys

Stian Thorgersen sthorger at redhat.com
Wed Jun 15 07:07:19 EDT 2016


I'm not quite following the problem. You can encode the secret/key
using Base32. In fact this Keycloak already stores the secret as a Base32
encoded string. We don't strictly support hardware tokens at the moment as
there's no way to specify the secret, but you can probably do that through
the admin endpoints.

On 13 June 2016 at 20:14, Mitya <mitya at cargosoft.ru> wrote:

> The current KeyCloak HOTP implementation assumes that a HOTP key (aka
> seed, aka initialization vector) is stored as string, and thus contains
> only printable characters. However, the HOTP standard (RFC 4226)
> doesn't impose any restrictions on key material; any arbitrary byte
> array is acceptable.
>
> Moreover, many hardware HOTP tokens are pre-programmed at the factory,
> and do contain non-printable seeds. Even though KeyCloak doesn't
> support hardware tokens out of the box, developers could implement it
> by extending KeyCloak and employing existing algorithms. Unfortunately,
> the existing convention (to store HOTP seeds as printable strings)
> makes this impossible.
>
> For the "password" credential type, the "value" field is already stored
> as Base64. I think "hotp" credentials could also be stored as Base64 or
> hex; another option would be to store the "value" field as BLOB (like
> it's already done for the "salt" field).
>
> I think I could produce a PR for this, I only need to know which
> scenario is preferred.
>
> Cheers,
> Mitya
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160615/6ad9a837/attachment.html 


More information about the keycloak-dev mailing list