I'm confused about the unit tests without assertions. I took a quick stab at writing some assertions, but since all of the (new) assertions fail, something's wrong with the code or (very likely) my assumptions.

jamiejackson@fb34c7b

Hey,

I need to instatiate a new GoogleAuthenticatorKey because I want to generate a QR-Code:
String link = GoogleAuthenticatorQRGenerator.getOtpAuthURL("MyProgram", "[email protected]", <key>);

I already know that it's not possible to do new GoogleAuthenticatorKey(). I already stored the Key in a Credentials Manager.

My Question: How can I get that GoogleAuthenticatorKey variable / Get the QR-Code URL without having an GoogleAuthenticatorKey variable?

Thanks in advance,
Niklas

Could not initialise SecureRandom with the specified provider: SUN.
Another provider can be chosen setting the com.warrenstrange.googleauth.rng.algorithmProvider system property.

Can you help me?

Gradle:
compile 'com.warrenstrange:googleauth:1.1.5' //Google Auth

Hi,

I'd like to invite you to add this repo to the awesome-auth list here: https://github.com/casbin/awesome-auth

Please send a PR, thanks!

I might be missing out on something here, but ... would it be possible to make the calculateCode() method public?
I'm using your lib on the server side, and for testing purposes, it would be great if I could use the same lib for the client side code as well. Others might be interested to use your code when writing client applications.

I worked around it by shamelessly borrowing from your code and basically copying the checkCode() method. I just changed the return type from "boolean" to "String[]", so it now returns an array of the calculated hashes instead of a "isValid".

The signature of my method now looks like this:

/**
 * Creates a set of One Time Passwords for the given secret.
 *
 * @param aSecret the secret for which OTPs shall be generated
 * @param aNumberOfOTPs the number of OTPs to be generated. The one "in the middle" is the "most current one". 
 * @return an array of OTPs.
 */
public static String[] createOTP(String aSecret, int aNumberOfOTPs) {
      ...
    }

And, in any case: Thanks for putting this together!

My apologies if I missed something in the API.

Right now, you can only generate a QR code with a GoogleAuthenticatorKey object. This object can only be created by a call to createCredentials(). My use case is that I need to recreate the QR code with a preexisting secret (that has been persisted to the database), but there doesn't seem to be any way to do that with the existing API, as I cannot create a GoogleAuthenticatorKey object, or call the QR code methods with just the key. It would be sufficient to overload getOtpAuthURL() to take 3 strings (including the key).

Hi,
First of all thank you for creating such a great tool. I am currently in my University final year and are using your API to implement two factor authentication in my final year project.

However there is an issue; the storage of the secret key. Since the program requires the secret key in order to generate TOTP, I cannot possibly just store the hash, and if I were to encrypt the secret key that would means that I will have to hard code the decryption key. Furthermore my application is designed to work offline (i.e. cannot host an authentication server).

I remember our lecturer taught us in class that it is a bad practice to hard code secret key and should also never store key in clear.

I will greatly appreciate your help if you could give me some advice and will be really grateful.

Best Regards,
Jacky

The getTotpPasswordOfUser method with just the userName parameter does not appropriately call getTotpPasswordOfUser(String userName, long time). Instead, it calls the getTotpPassword helper with userName as the key.

Hi,

the method public boolean authorize(String secret, int verificationCode) need has a TimeZone parameter, because my timezone default not is UTC, so the possible best implementation is :
TimeZone tz = TimeZone.getTimeZone(timeZoneParameter);

The asymmetry of this interface bothers me. It seems to serve no purpose the way it is written since either the library takes care of the whole getting/setting for us, or it doesn't. One option is:

gAuth.authenticate(username, code)

Which will call a getter in the interface to fetch the appropriate secret key from the data store. What do you think of this approach?

Note also that 'authorise' is the wrong word since it often means something different. Authentication is about identifying a user. Authorisation is about determine the level of access to provide that user.

GoogleAuthenticator class is currently defined as final and it doesn't implement any interface which would create a contract for this class. As a result the class can't be easily mocked in unit tests.

For example line like this:
GoogleAuthenticator googleAuthenticator = EasyMock.createMock(GoogleAuthenticator.class);

ends with an exception:
java.lang.IllegalArgumentException: Cannot subclass final class class com.warrenstrange.googleauth.GoogleAuthenticator

GoogleAuthenticator class could implement an interface (e.g. IGoogleAuthenticator) with signatures of it's public methods.

Hi @wstrange,

Would you mind logging in into https://travis-ci.org/ and enable the Travis build for this repository? My status as a collaborator is not sufficient to do that.

Thanks!

Took me a while to find out what's wrong. Google prints the codes in lowercase but the library decodes them wrong because of this issue. After doing .toUpperCase() the codes match. Probably best not to confuse people and uppercase it anyway at this line. While it could be patched on the Apache's side I think it's nice to cover this default Google behavior on the library's side.

Because they are typed to be an int, attempting to authorize a code that has a leading zero will throw an exception. Leading zeros aren't allowed in non-decimal numbers.

[ERROR] GoogleAuth/src/test/java/com/warrenstrange/googleauth/GoogleAuthTest.java:[66,48] integer number too large: 098775

I am just trying this library for generating random TOTP of 6 digits by setting the code digits property but sometimes I am getting the 4/5 digit TOTP.

Can somebody help out how to fix the length of the TOTP?

Hey,
I used the code as is my main is

GoogleAuthenticator gAuth = new GoogleAuthenticator(gacb.build());
gAuth = new GoogleAuthenticator();
final GoogleAuthenticatorKey key = gAuth.createCredentials();

GoogleAuthenticator gAuth = new GoogleAuthenticator();
boolean isCodeValid = gAuth.authorize(key.getKey(), key.getVerificationCode);

isCodeValid = false. Why ?
chaning setWindowSize(1000000) cause it to return true, but calling gAuth.authorize(key.getKey(), key.getVerificationCode + 1) also return true !!!

Thanks,
Baruch

I have include GoogleAuth in scala

org.scalatest.exceptions.TestFailedException: false was not equal to true

    val gAuth = new GoogleAuthenticator()

    val key = gAuth.createCredentials()

    Thread.sleep(5 * 1000)

    val isCodeValid = gAuth.authorize(key.getKey, key.getVerificationCode)

    isCodeValid shouldBe true

Is there a way of making the number of generated scratch codes custom? Most sites use around 10 scratch codes today.

How's license?
But jus could use?

Let me know us.
Thanks.

So that it does not bring in the library and bunch of its dependencies if I do not need the functionality

Does this library support creating app password?
If it does, can you give me an example?

Thanks,

How can we restrict the passcode's lifetime?
I am trying it by using the setTimeStepSizeInMillis method but it doesn't seem to be working.
Can anyone help me with this?

I'm trying to ensure this lib will work with a ruby/python implemented totp library: pyotp. If I use their example secret value base32secret3232 in your library - the totp won't validate. but if I uppercase the secret in both libraries, it validates.

Due to the usage of integers in the code comparison of a hash starting with a zero is handled incorrectly.

This causes the 0 at the start of the verification code to be truncated and therefore not used in the comparison.

To summarize we have the following situation
Expected verification code = 012345
Entered verification code = 12345
Result = valid verification code
Expected result = verification code is invalid

The RFC returns strings when generating the totp code.

Hey,

This a feature request for exporting the methods to create TOTP passwords.

Thanks,
Baruch

Google image charts seems to be deprecated since 2012 and getting permanently shut down on March 14th, 2019

GoogleAuthenticatorQRGenerator.TOTP_URI_FORMAT seems to use this (https://chart.googleapis.com) to generate QR code and will fail to work after March 14th.

Is this issue known and is up to the developers using this library to find an alternative to generate QR code after getting otpauth or are there any plans to update this library with another QR code generator?

The google authenticator app and this code are generating different code not the same one. it always says false . :(

GoogleAuthenticator gAuth = new GoogleAuthenticator();
final GoogleAuthenticatorKey key = gAuth.createCredentials();
System.out.println(key.getKey());

System.out.println("Enter your code: ");
Scanner scanner = new Scanner(System.in);
String code = scanner.nextLine();
int CodInt = Integer.parseInt(code);
System.out.println("Your code is " + code);
boolean isCodeValid = gAuth.authorize(key.getKey(), CodInt);

When using the builder for GoogleAuthenticatorKey, the scratch codes are passed into the ArrayList constructor:
this.scratchCodes = new ArrayList<>(scratchCodes);

However, if the scratch codes were not set in the builder, the ArrayList constructor throws NullPointerException on this line. If the scratch codes are required, I would suggest that the builder initialize the value to an empty list.

I want to restrict the valid time of OTP to 5 min and I am using setTimeStepSizeInMillis method to set the valid time for the generated OTP. But the generated OTP is getting invalidated before 5 min.

Please help me with this...Thanks

It would make use of your useful library even easier for many people if you were able to release it to mvn central. I've done this for some open source projects of my own and it is pretty simple. Some instructions can be found here: http://central.sonatype.org/pages/ossrh-guide.html

This will require that the interface ICredentialRepository to include a method:
String getScratchCodes(String userName)

It is natural to have save and get in the same class/interface.

Alternatively, we can add a method GoogleAuthenticator.authoriseWithScratchCodes() and keep authorise() unchanged.

Hi @wstrange

Sorry for posting an issue I could not find any other place to post my question but I was wondering if GoogleAuthenticator methods are thread safe particularly getTotpPassword() and authorize()

BTW google drive folders where pre-built docs should be are all blank

thanks
Alex

Hi
Tried to implement this code to my project, but all the times the verification code was invalid. I used a
GoogleAuthenticatorConfigBuilder instance with the different settings (digits, windows, key representations), but always failure.

I use your code with Google Authenticator. I don't know. May be there are a special settings for it ?
Can you help me ?

By default I use code bellow.

1. Here is creation user's creditians

      val builder = new GoogleAuthenticatorConfigBuilder()
      val gAuth = new GoogleAuthenticator(builder.build())
      gAuth.setCredentialRepository(new CreditRepository)

      val creditiands = gAuth.createCredentials("sa")
      val otpAuthURL = GoogleAuthenticatorQRGenerator.getOtpAuthURL("SomeSite", "sa", creditiands)

As CreditRepository I just used a something like a Mock object:

class CreditRepository extends ICredentialRepository{ 
  override def getSecretKey(userName: String): String = {
    return "KR52HV2U5Z4DWGLJ"
  }
  override def saveUserCredentials(
                            userName: String, 
                            secretKey: String, 
                            validationCode: Int, 
                            scratchCodes: util.List[Integer]): Unit = { }
}

2. Here is a checking:

      var builder = new GoogleAuthenticatorConfigBuilder()
      var gAuth = new GoogleAuthenticator(builder.build())
      gAuth.setCredentialRepository(new CreditRepository)

      val isCodeValid =  gAuth.authorizeUser("sa", <verificationCode>)

Hi @wstrange
It could be a bit far fetched but I am trying to reduce dependencies. since JDK8 has built in Base64 and many server environments also have some Base64 utilities does it make sense to make this dependency optional and allow configuring Authenticator with an implementation of your internal Base64 interface.
This way with httputils made optional your library will be a little sweet no dependencies library. otherwise bringing it int server environment may cause jar conflicts

I have dropped the created jar in the installation in opt/alfresco_installation/tomcat/lib folder but nothing happens.No extra field for capturing the passcode appears on the alfresco share page except the username and password.
I have also tried by just dropping the dependencies in my repo and share maven projects.But still nothing happens.

and I am little confused that this GoogleAuth is just the code for the backened validation that creates and verifies OTPs or is it the complete code that has to be integrated with our maven code?what about the UI part.how to render the extra input field in alfresco share page.
Basically.I am confused with its complete implementation in alfresco.

Any help would be greatly appreciated.

Caused by: com.warrenstrange.googleauth.GoogleAuthenticatorException: Could not initialise SecureRandom with the specified provider: SUN

Hi Warren,

How's all going?

I wanted to ask you about adding me as a contributor of GoogleAuth, so it's easier for both of us to keep this library going.

Cheers,
-- Enrico

I run this lib in Mac is ok ,but when I run in Linux ,something wrong is happen

When I run this code:

GoogleAuthenticator gAuth=new GoogleAuthenticator()

I'am in long time waiting,and no response

Is there something lib I need to install to Linux first?

Or something else?

The key object (GoogleAuthenticatorKey) has a secret (the purpose of which is clear), scratch codes (the purpose is clear) and a verificationCode at UNIX Epoch. The purpose of the last one is not documented, and it's not used or passed anywhere (except to the repository).

Is there any purpose of that one and do we have to store it. If yes - please add to the documentation. If not - maybe get rid of it?

Many thanks for the great effort.
I tried your code and it works fine.

Can you please clarify this ?
In my mobile 'Google Authenticator' apps I registered the the generated QR code.
And when I tried to test the authTest() method by invoking it continuously it returned true even after that code expired and I see a new code on my mobile. I tried continuously until 5 different codes were generated. It works fine with the initial code.

I am confused. I thought it should work only till that code is valid and displayed in my mobile. ?

Thanks
Jay

If we need more than 5 scratch codes then is there any way to customize scratch codes size in wstrange google auth library. We went through the code but this field is private static final int SCRATCH_CODES = 5; and we did not find any way to configure it.

Currently, the library has the pieces to support the generation of validation codes but they are package private and not tied together. I have identified the changes that would be required and think this would be valuable to add.

Hi @wstrange

Is it possible to support java 6?
This library currently is compiled with java 7 (see pom.xml 1.7)
I looked in the source code and saw a few java 7 code constructs (about 8 or 9):

• a few empty <> for example new ArrayList<>() this should be easily converted to new ArrayList<Integer>()
• underscore in number, removing underscore makes it compatible with java 6.

Dependency httpclient supports java6 if i'm correct.

Hope you consider it.

Hi All,
I Have taken your code as Reference and Created the sample JAVA Web Application and using the same in my Project and the Code is working like charm in my system (India). But the same code is not working in the Singapore. I am trying a lot but not getting the reason . Can anybody please help on this.
Reference from : https://github.com/wstrange/GoogleAuth

1. Is there any dependency with the Country name .
   Thanks in Advance..

Wrong issue

Can we remove the hidden dependency on com.google.common.base.Preconditions?

Also, I can't find the dependency on JAX-RS. Why is that there?

Is it safe to generate keys or verify passwords in a multi-threaded environment using singleton instance for the GoogleAuthenticator class

Hi Warren

I´ve tried your lib with differents mobiles and I got always an invalid code with a
"Samsung GT-I8160" (samsung galaxy mini 2) device. All devices had the same google authenticator, version 2.49.
I used the QR and the manual configuration with google auth in my tests without success. Any ideas about my problem?

Thanks in advance.
Al

@repository
public class DatabaseCredentialsRepository implements ICredentialRepository {

@Autowired
DataSource dataSource;

init ICredentialRepository by ServiceLoader,as above,the injected dataSource is null.
How to solve this ? thanks.