-
Bug
-
Resolution: Won't Do
-
Critical
-
None
-
3.0.0.Beta28
-
None
The ldap-realm.otp-credential-mapper.seed-from attribute in Elytron subsystem refers to an LDAP attribute which stores an OTP seed. The LDAP-attribute value currently has to be Base64 encoded, which seems to be wrong.
The problem is in the Elytron class org.wildfly.security.auth.realm.ldap.OtpCredentialLoader which handles the encoding/decoding.
The OTP RFC 2289 says
The seed MUST consist of purely alphanumeric characters and MUST be of one to 16 characters in length. The seed is a string of characters that MUST not contain any blanks and SHOULD consist of strictly alphanumeric characters from the ISO-646 Invariant Code Set. The seed MUST be case insensitive and MUST be internally converted to lower case before it is processed.
I.e. There is no need to Base64-encode the String bytes.
Suggested fix
Don't encode/decode the LDAP attribute value.
- clones
-
JBEAP-12140 Elytron - OTP seed attribute in ldap-realm is Base64 encoded
- Closed