Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 10:16 am

All times are UTC + 1 hour




Post new topic Reply to topic  [ 2 posts ] 
Author Message
PostPosted: Thu Jan 02, 2014 9:38 am 
Offline

Joined: Thu Jan 02, 2014 9:25 am
Posts: 1
Hello everyone.

I'm working on integrating YubiKey into our new platform and I'd like to know if it is by design that the response from YubiCloud does not contain nonce (and otp) when status is BAD_OTP.

Code:
"h=rXCkSVYHYUYk+Ju5MvaVSKRhhgY=\r\nt=2014-01-02T08:20:07Z0339\r\nstatus=BAD_OTP\r\n\r\n"


Code:
"h=ltwiOKRC5X62g8HBDw9+CdxE/0Q=\r\nt=2014-01-02T08:20:05Z0697\r\notp=ccccccbtcvvhgnvvbivkdfkrddgnikfkdhjlhgeinhlb\r\nnonce=58a74a555932b9bca389ff3fd5ac6c2d\r\nstatus=REPLAYED_OTP\r\n\r\n"


Looking at the documentation (https://github.com/Yubico/yubikey-val/wiki/ValidationProtocolV20#response) nowhere this is mentioned.
If it is unintentional, do you plan to include none (and otp) in BAD_OPT responses anytime soon?


Thanks

Sigfrid


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Wed Jan 08, 2014 11:14 am 
Offline
Site Admin
Site Admin

Joined: Thu Apr 19, 2012 1:45 pm
Posts: 148
Hello,

OTP is not included in the case of BAD_OTP to avoid echoing a potentially mallicious string to the client (as it's failed the validation servers sanity check). And the same goes for the other error conditions where inputs might not have been sanitized yet.

/klas


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 2 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group