Discussion:
[Freeipa-users] OTP - Google Authenticator - iPhone - Invalid barcode
Prashant Bapat
2015-06-12 18:02:58 UTC
Permalink
Hi,

Has anyone seen this ? When a user tries to scan the QR code he gets a
message saying "invalid barcode". This happens only with iPhone + Google
Authenticator.

Thanks for your help.

--Prashant
Jakub Hrozek
2015-06-12 19:25:03 UTC
Permalink
Post by Prashant Bapat
Hi,
Has anyone seen this ? When a user tries to scan the QR code he gets a
message saying "invalid barcode". This happens only with iPhone + Google
Authenticator.
Google Authenticator or FreeOTP? This list might be a good place to ask
about the latter, but not the former..
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Simo Sorce
2015-06-13 17:40:38 UTC
Permalink
Post by Jakub Hrozek
Post by Prashant Bapat
Hi,
Has anyone seen this ? When a user tries to scan the QR code he gets a
message saying "invalid barcode". This happens only with iPhone + Google
Authenticator.
Google Authenticator or FreeOTP? This list might be a good place to ask
about the latter, but not the former..
Well FreeIPA generates the barcode so we need to check if there is a
compatibility issue with google-authenticator too.

I think we have a report about the "case" used to generate some
algorithm names, that get embedded in the QR code:
https://fedorahosted.org/freeipa/ticket/5047

It may be the same issue here.

Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Prashant Bapat
2015-06-17 07:05:35 UTC
Permalink
Simo is right! This issue is same as
https://fedorahosted.org/freeipa/ticket/5047

If I change the algorithm in the otp url to uppercase it scans in Google
authenticator/iPhone.

Further more I manually edited
the /usr/lib/python2.7/site-packages/ipalib/plugins/otptoken.py and
uppercases the 'sha' to 'SHA' in a test VM and it works as expected. I hate
to do this in the production server though.
Post by Prashant Bapat
Hi,
Has anyone seen this ? When a user tries to scan the QR code he gets a
message saying "invalid barcode". This happens only with iPhone + Google
Authenticator.
Thanks for your help.
--Prashant
Nathaniel McCallum
2015-06-17 14:30:03 UTC
Permalink
Prashant,

I have proposed a patch for the issue:
https://www.redhat.com/archives/freeipa-devel/2015-June/msg00505.html

Please test it and let me know if it works for you.

Nathaniel
Post by Prashant Bapat
Simo is right! This issue is same as
https://fedorahosted.org/freeipa/ticket/5047
If I change the algorithm in the otp url to uppercase it scans in
Google authenticator/iPhone.
Further more I manually edited the /usr/lib/python2.7/site
-packages/ipalib/plugins/otptoken.py and uppercases the 'sha' to
'SHA' in a test VM and it works as expected. I hate to do this in the
production server though.
Post by Prashant Bapat
Hi,
Has anyone seen this ? When a user tries to scan the QR code he
gets a message saying "invalid barcode". This happens only with
iPhone + Google Authenticator.
Thanks for your help.
--Prashant
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Nathaniel McCallum
2015-06-17 17:16:37 UTC
Permalink
The change that you made might break other things.
Hi Nathaniel,
I think your patch should work. Please give me a day to test and
confirm.
StrEnum('ipatokenotpalgorithm?',
cli_name='algo',
label=_('Algorithm'),
doc=_('Token hash algorithm'),
default=u'sha1',
autofill=True,
flags=('no_update'),
values=(u'sha1', u'sha256', u'sha384', u'sha512'),
)
to
StrEnum('ipatokenotpalgorithm?',
cli_name='algo',
label=_('Algorithm'),
doc=_('Token hash algorithm'),
default=u'SHA1',
autofill=True,
flags=('no_update'),
values=(u'SHA1', u'SHA256', u'SHA384', u'SHA512'),
)
And the Google Authenticator installed on a iPhone was able to scan
the QR code and work as expected.
Thanks for looking into this.
Regards.
--Prashant
Post by Nathaniel McCallum
Prashant,
https://www.redhat.com/archives/freeipa-devel/2015
-June/msg00505.html
Please test it and let me know if it works for you.
Nathaniel
Post by Prashant Bapat
Simo is right! This issue is same as
https://fedorahosted.org/freeipa/ticket/5047
If I change the algorithm in the otp url to uppercase it scans in
Google authenticator/iPhone.
Further more I manually edited the /usr/lib/python2.7/site
-packages/ipalib/plugins/otptoken.py and uppercases the 'sha' to
'SHA' in a test VM and it works as expected. I hate to do this in
the
Post by Prashant Bapat
production server though.
Post by Prashant Bapat
Hi,
Has anyone seen this ? When a user tries to scan the QR code he
gets a message saying "invalid barcode". This happens only with
iPhone + Google Authenticator.
Thanks for your help.
--Prashant
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Loading...