KEYCLOAK-3021: Add Realm Display Name to the label part of the otpauth URI.

Due to the removal of the realm-displayname as a result of changes made for KEYCLOAK-2410 the otpauth URI no longer included the realm display name as a hint for the user to which system an authenticator belongs to. We now ensure that the realm display name is again part of the label component of the otpauth URI. This enables a user to better distinguish between user accounts for different systems.
2016-05-20 13:59:19 +02:00 · 2016-05-20 13:59:19 +02:00 · 4bc64350b2
commit 4bc64350b2
parent af7fd0ef61
1 changed files with 26 additions and 9 deletions
--- a/server-spi/src/main/java/org/keycloak/models/OTPPolicy.java
+++ b/server-spi/src/main/java/org/keycloak/models/OTPPolicy.java
@ -112,24 +112,41 @@ public class OTPPolicy implements Serializable {
        this.period = period;
    }

+    /**
+     * Constructs the <code>otpauth://</code> URI based on the <a href="https://github.com/google/google-authenticator/wiki/Key-Uri-Format">Key-Uri-Format</a>.
+     * @param realm
+     * @param user
+     * @param secret
+     * @return the <code>otpauth://</code> URI
+     */
    public String getKeyURI(RealmModel realm, UserModel user, String secret) {
+
        try {
+
            String displayName = realm.getDisplayName() != null && !realm.getDisplayName().isEmpty() ? realm.getDisplayName() : realm.getName();
-            String uri;

-            uri = "otpauth://" + type + "/" + URLEncoder.encode(user.getUsername(), "UTF-8") + "?secret=" +
-                    Base32.encode(secret.getBytes()) + "&digits=" + digits + "&algorithm=" + algToKeyUriAlg.get(algorithm);
+            String accountName = URLEncoder.encode(user.getUsername(), "UTF-8");
+            String issuerName = URLEncoder.encode(displayName, "UTF-8") .replaceAll("\\+", "%20");

-            uri += "&issuer=" + URLEncoder.encode(displayName, "UTF-8");
+            /*
+             * The issuerName component in the label is usually shown in a authenticator app, such as
+             * Google Authenticator or FreeOTP, as a hint for the user to which system an username
+             * belongs to.
+             */
+            String label = issuerName + ":" + accountName;
+
+            String parameters = "secret=" + Base32.encode(secret.getBytes()) //
+                                + "&digits=" + digits //
+                                + "&algorithm=" + algToKeyUriAlg.get(algorithm) //
+                                + "&issuer=" + issuerName;

            if (type.equals(UserCredentialModel.HOTP)) {
-                uri += "&counter=" + initialCounter;
-            }
-            if (type.equals(UserCredentialModel.TOTP)) {
-                uri += "&period=" + period;
+                parameters += "&counter=" + initialCounter;
+            } else if (type.equals(UserCredentialModel.TOTP)) {
+                parameters += "&period=" + period;
            }

-            return uri;
+            return "otpauth://" + type + "/" + label+ "?" + parameters;
        } catch (UnsupportedEncodingException e) {
            throw new RuntimeException(e);
        }