Hi,
I'm currently trying to implement a Yubico OTP authentication in C#.
Basically, what I'm trying to do is the folloing:
1. When the user tries to authenticate to my website, I take the OTP submitted with the YubiKey
2. I try to authenticate to the Yubico authentication service using the following code (taken from the google project reference on Yubico's website) with the authid that I have generated here
https://upgrade.yubico.com/getapikey/ :
Code:
// Yubico .NET client cliass that calls Yubico authentication server to
// validate an OTP (One-Time Password) generated by a Yubikey
//
// March 2008
//
// Yubico.com - the elegant strong authentication built for the web
using System;
using System.Collections.Generic;
using System.Net;
using System.IO;
//using System.Web;
/// <summary>
/// Your app instantiate an object of this class, then call verify(OTP) to validate the
/// one-time password (OTP) generated by Yubikey
/// </summary>
public class YubicoClient
{
const String YUBICO_AUTH_SRV_URL = "http://api.yubico.com/wsapi/verify?id=";
private int _authId = -1;
private String _response;
//// Input param authId is assigned to you by Yubico. Each site operator has an authId
// Eg. mashedLife.com authId is 28, dragonIPTV.com authId is 27, etc.
// Contact tech@yubico.com if you haven't got an authId for your site.
//
public YubicoClient(int authId)
{
_authId = authId;
_response = "";
}
//// Input param OTP is generated from your Yubikey when touching the button on it
//
public Boolean verify(String otp)
{
Boolean result = false;
_response = "";
HttpWebRequest request = (HttpWebRequest)WebRequest.Create(
YUBICO_AUTH_SRV_URL + _authId + "&otp=" + otp);
HttpWebResponse response = (HttpWebResponse)request.GetResponse();
String ver = response.ProtocolVersion.ToString();
StreamReader reader = new StreamReader(response.GetResponseStream());
string str = reader.ReadLine();
while (str != null)
{
//Console.WriteLine(str);
str = reader.ReadLine();
_response += str + "\n";
if (str.StartsWith("status="))
{
if (str.StartsWith("status=OK"))
{
result = true;
}
break;
}
}
return result;
} // End of verify
//// Useful to verify the cause of a validation error
//
String getLastResponse()
{
return _response;
}
} // End of class YubicoClient
3. If the username, password and verify method above are all passed, then my user is authenticated.
Is that all I need to do?
Is the code above correct?
I saw somewhere that we can have an "h" parameter, but don't see it on the code... is that normal ?
Thanks a million for your help and kind regards,
L
Login
FAQ
Search
