Yubico Forum
https://forum.yubico.com/

web client authentication in c#
https://forum.yubico.com/viewtopic.php?f=3&t=826
Page 1 of 1

Author:  leelith [ Mon Jun 25, 2012 3:28 pm ]
Post subject:  web client authentication in c#

Hi,

I'm currently trying to implement a Yubico OTP authentication in C#.

Basically, what I'm trying to do is the folloing:

1. When the user tries to authenticate to my website, I take the OTP submitted with the YubiKey
2. I try to authenticate to the Yubico authentication service using the following code (taken from the google project reference on Yubico's website) with the authid that I have generated here https://upgrade.yubico.com/getapikey/ :

Code:
// Yubico .NET client cliass that calls Yubico authentication server to
// validate an OTP (One-Time Password) generated by a Yubikey
//
// March 2008       
//
// Yubico.com - the elegant strong authentication built for the web


using System;
using System.Collections.Generic;
using System.Net;
using System.IO;
//using System.Web;

/// <summary>
/// Your app instantiate an object of this class, then call verify(OTP) to validate the
/// one-time password (OTP) generated by Yubikey
/// </summary>
public class YubicoClient
{
    const String YUBICO_AUTH_SRV_URL = "http://api.yubico.com/wsapi/verify?id=";

    private int _authId = -1;

    private String _response;

    //// Input param authId is assigned to you by Yubico. Each site operator has an authId
    // Eg. mashedLife.com authId is 28, dragonIPTV.com authId is 27, etc.
    // Contact tech@yubico.com if you haven't got an authId for your site.
    //
    public YubicoClient(int authId)
    {
        _authId = authId;
        _response = "";
    }

    //// Input param OTP is generated from your Yubikey when touching the button on it
    // 
    public Boolean verify(String otp)
    {
        Boolean result = false;

        _response = "";

        HttpWebRequest request = (HttpWebRequest)WebRequest.Create(
            YUBICO_AUTH_SRV_URL + _authId + "&otp=" + otp);
        HttpWebResponse response = (HttpWebResponse)request.GetResponse();
        String ver = response.ProtocolVersion.ToString();
        StreamReader reader = new StreamReader(response.GetResponseStream());
        string str = reader.ReadLine();
        while (str != null)
        {
            //Console.WriteLine(str);
            str = reader.ReadLine();
            _response += str + "\n";
            if (str.StartsWith("status="))
            {
                if (str.StartsWith("status=OK"))
                {
                    result = true;
                }
                break;
            }
        }
        return result;
    } // End of verify

    //// Useful to verify the cause of a validation error
    //
    String getLastResponse()
    {
        return _response;
    }

} // End of class YubicoClient


3. If the username, password and verify method above are all passed, then my user is authenticated.

Is that all I need to do?
Is the code above correct?
I saw somewhere that we can have an "h" parameter, but don't see it on the code... is that normal ?

Thanks a million for your help and kind regards,

L

Author:  Klas [ Tue Jun 26, 2012 6:25 am ]
Post subject:  Re: web client authentication in c#

Hello,

Yes, the verify method in that code will verify the OTP.
The h parameter is for a hmac-sha1 signature of the query and response with the apikey you get with the client id, it's not mandatory but gives an extra layer that it is the correct server answering your queries. The simple .Net validation client doesn't support signatures at all, it's also only validation protocol 1 with single server, we have a newer validation client for .Net with support for the full validation protocol 2 with multiple servers queried in parallel: https://github.com/Yubico/yubico-dotnet-client it's more complex but should be preferred.

/klas

Author:  leelith [ Thu Jul 05, 2012 10:02 pm ]
Post subject:  Re: web client authentication in c#

Hi,

Sorry for the delay have been very busy at work on other topics.

So I had a look into the new implementation of the client, which I think I will be used (why it is not referenced in the Yubico's website?).

I however have few questions:

For what is needed "nonce", "sync" variables ?

Also the user-agent shouldn't change anything on the response of the validation server right?

And more generally, what we only have to do is import all needed classes (under YubicoDotNetClient), and call the verify method to check for the OTP :

Code:
YubicoClient client = new YubicoClient(clientId, apiKey);
YubicoResponse response = client.verify(otp);
if(response.getStatus() == YubicoResponseStatus.OK) {
  // validation success
} else {
  // validation failure
}


As suggested on the project code page right ?

Thanks again and have a good night : )

L.

Author:  Klas [ Mon Jul 09, 2012 9:39 am ]
Post subject:  Re: web client authentication in c#

Hello,

You can read about all parts of the sync protocol https://github.com/Yubico/yubikey-val-s ... rotocolV20 you don't need to set any of those variables, they will have sensible defaults. If you pass in clientId and apiKey to the constructor and the otp to the verify method you're good to go.

/klas

Author:  leelith [ Wed Jul 11, 2012 10:54 pm ]
Post subject:  Re: web client authentication in c#

Ok, I had a look on the code, I need to change the YubicoResponse class calls to the YubicoResponseImpl on the code to call the class direct and not the interface ? At least I think it would be "more elegant"

Thanks!

L.

Author:  Klas [ Mon Aug 06, 2012 8:54 am ]
Post subject:  Re: web client authentication in c#

Hello,

Sorry for the late reply, have been vacations here.

If you have comments on the code or the functionality, don't hesitate to tell us or give us a pull request on github, we'll be more than happy to make the default work for you.

/klas

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/