By: Guy Parker named 08 Nov 2017 at 6:16 a.m. CST

3 Responses
Guy Parker gravatar
With reference to other tickets (https://support.gluu.org/authentication/4426/otp/ and https://support.gluu.org/authentication/4241/hotptopt-authentication-module-invalid-barcode/) We found that the QR code could generate an error in Google Authenticator when using TOTP but that other apps (like OTP Auth) or switching to HOTP would work. We believe this to happen only when the secret includes "=" padding and that there is a simple fix: 1. Locate the toBase32 method in the otp script 2. Change: ``` return BaseEncoding.base32().encode(bytes) ``` To: ``` return BaseEncoding.base32().omitPadding().encode(bytes) ``` According to https://github.com/google/google-authenticator/wiki/Key-Uri-Format: > The secret parameter is an arbitrary key value encoded in Base32 according to RFC 3548. The padding specified in RFC 3548 section 2.2 is not required and should be omitted.

By Mohib Zico Account Admin 08 Nov 2017 at 6:31 a.m. CST

Mohib Zico gravatar
Thanks much, Guy. We will take a quick look and push the fix if required.

By Yuriy Movchan staff 08 Nov 2017 at 7:22 a.m. CST

Yuriy Movchan gravatar
Thank you for issue description and solution to resolve it. I've committed fix for this case: https://github.com/GluuFederation/oxAuth/commit/2e4da44513b093148276e599c479dda48848f186

By Michael Schwartz Account Admin 09 Nov 2017 at 1:29 a.m. CST

Michael Schwartz gravatar
Yes, very nice work Guy. Thank you.