Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 11:54 am

All times are UTC + 1 hour




Post new topic Reply to topic  [ 6 posts ] 
Author Message
PostPosted: Mon Jun 25, 2012 3:28 pm 
Offline

Joined: Mon Jun 25, 2012 3:20 pm
Posts: 3
Hi,

I'm currently trying to implement a Yubico OTP authentication in C#.

Basically, what I'm trying to do is the folloing:

1. When the user tries to authenticate to my website, I take the OTP submitted with the YubiKey
2. I try to authenticate to the Yubico authentication service using the following code (taken from the google project reference on Yubico's website) with the authid that I have generated here https://upgrade.yubico.com/getapikey/ :

Code:
// Yubico .NET client cliass that calls Yubico authentication server to
// validate an OTP (One-Time Password) generated by a Yubikey
//
// March 2008       
//
// Yubico.com - the elegant strong authentication built for the web


using System;
using System.Collections.Generic;
using System.Net;
using System.IO;
//using System.Web;

/// <summary>
/// Your app instantiate an object of this class, then call verify(OTP) to validate the
/// one-time password (OTP) generated by Yubikey
/// </summary>
public class YubicoClient
{
    const String YUBICO_AUTH_SRV_URL = "http://api.yubico.com/wsapi/verify?id=";

    private int _authId = -1;

    private String _response;

    //// Input param authId is assigned to you by Yubico. Each site operator has an authId
    // Eg. mashedLife.com authId is 28, dragonIPTV.com authId is 27, etc.
    // Contact tech@yubico.com if you haven't got an authId for your site.
    //
    public YubicoClient(int authId)
    {
        _authId = authId;
        _response = "";
    }

    //// Input param OTP is generated from your Yubikey when touching the button on it
    // 
    public Boolean verify(String otp)
    {
        Boolean result = false;

        _response = "";

        HttpWebRequest request = (HttpWebRequest)WebRequest.Create(
            YUBICO_AUTH_SRV_URL + _authId + "&otp=" + otp);
        HttpWebResponse response = (HttpWebResponse)request.GetResponse();
        String ver = response.ProtocolVersion.ToString();
        StreamReader reader = new StreamReader(response.GetResponseStream());
        string str = reader.ReadLine();
        while (str != null)
        {
            //Console.WriteLine(str);
            str = reader.ReadLine();
            _response += str + "\n";
            if (str.StartsWith("status="))
            {
                if (str.StartsWith("status=OK"))
                {
                    result = true;
                }
                break;
            }
        }
        return result;
    } // End of verify

    //// Useful to verify the cause of a validation error
    //
    String getLastResponse()
    {
        return _response;
    }

} // End of class YubicoClient


3. If the username, password and verify method above are all passed, then my user is authenticated.

Is that all I need to do?
Is the code above correct?
I saw somewhere that we can have an "h" parameter, but don't see it on the code... is that normal ?

Thanks a million for your help and kind regards,

L


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Tue Jun 26, 2012 6:25 am 
Offline
Site Admin
Site Admin

Joined: Thu Apr 19, 2012 1:45 pm
Posts: 148
Hello,

Yes, the verify method in that code will verify the OTP.
The h parameter is for a hmac-sha1 signature of the query and response with the apikey you get with the client id, it's not mandatory but gives an extra layer that it is the correct server answering your queries. The simple .Net validation client doesn't support signatures at all, it's also only validation protocol 1 with single server, we have a newer validation client for .Net with support for the full validation protocol 2 with multiple servers queried in parallel: https://github.com/Yubico/yubico-dotnet-client it's more complex but should be preferred.

/klas


Top
 Profile  
Reply with quote  
PostPosted: Thu Jul 05, 2012 10:02 pm 
Offline

Joined: Mon Jun 25, 2012 3:20 pm
Posts: 3
Hi,

Sorry for the delay have been very busy at work on other topics.

So I had a look into the new implementation of the client, which I think I will be used (why it is not referenced in the Yubico's website?).

I however have few questions:

For what is needed "nonce", "sync" variables ?

Also the user-agent shouldn't change anything on the response of the validation server right?

And more generally, what we only have to do is import all needed classes (under YubicoDotNetClient), and call the verify method to check for the OTP :

Code:
YubicoClient client = new YubicoClient(clientId, apiKey);
YubicoResponse response = client.verify(otp);
if(response.getStatus() == YubicoResponseStatus.OK) {
  // validation success
} else {
  // validation failure
}


As suggested on the project code page right ?

Thanks again and have a good night : )

L.


Top
 Profile  
Reply with quote  
PostPosted: Mon Jul 09, 2012 9:39 am 
Offline
Site Admin
Site Admin

Joined: Thu Apr 19, 2012 1:45 pm
Posts: 148
Hello,

You can read about all parts of the sync protocol https://github.com/Yubico/yubikey-val-s ... rotocolV20 you don't need to set any of those variables, they will have sensible defaults. If you pass in clientId and apiKey to the constructor and the otp to the verify method you're good to go.

/klas


Top
 Profile  
Reply with quote  
PostPosted: Wed Jul 11, 2012 10:54 pm 
Offline

Joined: Mon Jun 25, 2012 3:20 pm
Posts: 3
Ok, I had a look on the code, I need to change the YubicoResponse class calls to the YubicoResponseImpl on the code to call the class direct and not the interface ? At least I think it would be "more elegant"

Thanks!

L.


Top
 Profile  
Reply with quote  
PostPosted: Mon Aug 06, 2012 8:54 am 
Offline
Site Admin
Site Admin

Joined: Thu Apr 19, 2012 1:45 pm
Posts: 148
Hello,

Sorry for the late reply, have been vacations here.

If you have comments on the code or the functionality, don't hesitate to tell us or give us a pull request on github, we'll be more than happy to make the default work for you.

/klas


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 6 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group