The ldap-realm.otp-credential-mapper.seed-from attribute in Elytron subsystem refers to an LDAP attribute which stores an OTP seed. The LDAP-attribute value currently has to be Base64 encoded, which seems to be wrong.
The problem is in the Elytron class org.wildfly.security.auth.realm.ldap.OtpCredentialLoader which handles the encoding/decoding.
The OTP RFC 2289 says
The seed MUST consist of purely alphanumeric characters and MUST be of one to 16 characters in length. The seed is a string of characters that MUST not contain any blanks and SHOULD consist of strictly alphanumeric characters from the ISO-646 Invariant Code Set. The seed MUST be case insensitive and MUST be internally converted to lower case before it is processed.
I.e. There is no need to Base64-encode the String bytes.
Suggested fix
Don't encode/decode the LDAP attribute value.
- is cloned by
-
ELY-1289 Elytron - OTP seed attribute in ldap-realm is Base64 encoded
-
- Resolved
-
-
-
- Closed
-
- is incorporated by
-
JBEAP-12265 Upgrade WildFly Elytron to 1.1.0.CR3
-
- Verified
-
- is related to
-
-
- Verified
-
-
-
- Verified
-
-
-
- Verified
-
