| Yubico Forum https://forum.yubico.com/ |
|
| Response does not contain nonce when BAD_OTP https://forum.yubico.com/viewtopic.php?f=3&t=1272 |
Page 1 of 1 |
| Author: | sigfrid [ Thu Jan 02, 2014 9:38 am ] |
| Post subject: | Response does not contain nonce when BAD_OTP |
Hello everyone. I'm working on integrating YubiKey into our new platform and I'd like to know if it is by design that the response from YubiCloud does not contain nonce (and otp) when status is BAD_OTP. Code: "h=rXCkSVYHYUYk+Ju5MvaVSKRhhgY=\r\nt=2014-01-02T08:20:07Z0339\r\nstatus=BAD_OTP\r\n\r\n" Code: "h=ltwiOKRC5X62g8HBDw9+CdxE/0Q=\r\nt=2014-01-02T08:20:05Z0697\r\notp=ccccccbtcvvhgnvvbivkdfkrddgnikfkdhjlhgeinhlb\r\nnonce=58a74a555932b9bca389ff3fd5ac6c2d\r\nstatus=REPLAYED_OTP\r\n\r\n" Looking at the documentation (https://github.com/Yubico/yubikey-val/wiki/ValidationProtocolV20#response) nowhere this is mentioned. If it is unintentional, do you plan to include none (and otp) in BAD_OPT responses anytime soon? Thanks Sigfrid |
|
| Author: | Klas [ Wed Jan 08, 2014 11:14 am ] |
| Post subject: | Re: Response does not contain nonce when BAD_OTP |
Hello, OTP is not included in the case of BAD_OTP to avoid echoing a potentially mallicious string to the client (as it's failed the validation servers sanity check). And the same goes for the other error conditions where inputs might not have been sanitized yet. /klas |
|
| Page 1 of 1 | All times are UTC + 1 hour |
| Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |
|