Yubico Forum

Response does not contain nonce when BAD_OTP
Page 1 of 1

Author:  sigfrid [ Thu Jan 02, 2014 9:38 am ]
Post subject:  Response does not contain nonce when BAD_OTP

Hello everyone.

I'm working on integrating YubiKey into our new platform and I'd like to know if it is by design that the response from YubiCloud does not contain nonce (and otp) when status is BAD_OTP.



Looking at the documentation (https://github.com/Yubico/yubikey-val/wiki/ValidationProtocolV20#response) nowhere this is mentioned.
If it is unintentional, do you plan to include none (and otp) in BAD_OPT responses anytime soon?



Author:  Klas [ Wed Jan 08, 2014 11:14 am ]
Post subject:  Re: Response does not contain nonce when BAD_OTP


OTP is not included in the case of BAD_OTP to avoid echoing a potentially mallicious string to the client (as it's failed the validation servers sanity check). And the same goes for the other error conditions where inputs might not have been sanitized yet.


Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group