keycloak-uncached

KEYCLOAK-3021: Add Realm Display Name to the label part of the …

5/20/2016 8:59:19 AM

otpauth URI.

Due to the removal of the realm-displayname as a result of changes made for KEYCLOAK-2410 the otpauth URI no longer included the realm display name as a hint for the user to which system an authenticator belongs to.

We now ensure that the realm display name is again part of the label component of the otpauth URI.
This enables a user to better distinguish between user accounts for different systems.

Thomas Darimont

Commit: 34f1e8b

Tree: 92cda0a

Parents: 5da837a

Changes

server-spi/src/main/java/org/keycloak/models/OTPPolicy.java 35(+26 -9)

Details

server-spi/src/main/java/org/keycloak/models/OTPPolicy.java 35(+26 -9)

diff --git a/server-spi/src/main/java/org/keycloak/models/OTPPolicy.java b/server-spi/src/main/java/org/keycloak/models/OTPPolicy.java
index 2f820f1..0acf02d 100755
--- a/server-spi/src/main/java/org/keycloak/models/OTPPolicy.java
+++ b/server-spi/src/main/java/org/keycloak/models/OTPPolicy.java
@@ -112,24 +112,41 @@ public class OTPPolicy implements Serializable {
         this.period = period;
     }
 
+    /**
+     * Constructs the <code>otpauth://</code> URI based on the <a href="https://github.com/google/google-authenticator/wiki/Key-Uri-Format">Key-Uri-Format</a>.
+     * @param realm
+     * @param user
+     * @param secret
+     * @return the <code>otpauth://</code> URI
+     */
     public String getKeyURI(RealmModel realm, UserModel user, String secret) {
+
         try {
+
             String displayName = realm.getDisplayName() != null && !realm.getDisplayName().isEmpty() ? realm.getDisplayName() : realm.getName();
-            String uri;
 
-            uri = "otpauth://" + type + "/" + URLEncoder.encode(user.getUsername(), "UTF-8") + "?secret=" +
-                    Base32.encode(secret.getBytes()) + "&digits=" + digits + "&algorithm=" + algToKeyUriAlg.get(algorithm);
+            String accountName = URLEncoder.encode(user.getUsername(), "UTF-8");
+            String issuerName = URLEncoder.encode(displayName, "UTF-8") .replaceAll("\\+", "%20");
 
-            uri += "&issuer=" + URLEncoder.encode(displayName, "UTF-8");
+            /*
+             * The issuerName component in the label is usually shown in a authenticator app, such as
+             * Google Authenticator or FreeOTP, as a hint for the user to which system an username
+             * belongs to.
+             */
+            String label = issuerName + ":" + accountName;
+
+            String parameters = "secret=" + Base32.encode(secret.getBytes()) //
+                                + "&digits=" + digits //
+                                + "&algorithm=" + algToKeyUriAlg.get(algorithm) //
+                                + "&issuer=" + issuerName;
 
             if (type.equals(UserCredentialModel.HOTP)) {
-                uri += "&counter=" + initialCounter;
-            }
-            if (type.equals(UserCredentialModel.TOTP)) {
-                uri += "&period=" + period;
+                parameters += "&counter=" + initialCounter;
+            } else if (type.equals(UserCredentialModel.TOTP)) {
+                parameters += "&period=" + period;
             }
 
-            return uri;
+            return "otpauth://" + type + "/" + label+ "?" + parameters;
         } catch (UnsupportedEncodingException e) {
             throw new RuntimeException(e);
         }