markenwerk/oath-server-suite

A collection of classes to provide second factor authentication like Yubico OTP (Yubikey), Oath (TOTP, HOTP, GoogleAuthenticator) server-side.

Monday, February 6, 2017
by bonscho
Repository
1 Watchers
2 Stars
131 Installations

PHP
0 Dependents
0 Suggesters
0 Forks
0 Open issues
23 Versions
14 % Grown

The README.md

PHP Oath Server Suite

, _(*1)

A collection of classes to provide second factor authentication like Yubico OTP (Yubikey), Oath (TOTP, HOTP, GoogleAuthenticator) server-side., _(*2)

For more information about Oath check out https://openauthentication.org/., _(*3)

More information about TOTP (Time-based One-time Password Algorithm) can be found at Wikipedia., _(*4)

More information about HOTP (HMAC-based One-time Password Algorithm) can be found at Wikipedia., _(*5)

For more information about the Yubico OTP authentication mechanism read the „What is YubiKey OTP?“ article at https://developers.yubico.com/OTP/., _(*6)

Installation

```{json} { "require": { "chroma-x/oath-server-suite": "~4.0" } }, _(*7)


## Usage

### Autoloading and namesapce

```{php}  
require_once('path/to/vendor/autoload.php');

Yubico OTP (YubiCloud)

To use Yubico OTP you need YubiCloud access. You can get free API credentials from https://upgrade.yubico.com/getapikey/., _(*8)

Validating a Yubico one time password

```{php} use ChromaX\CommonException\NetworkException\Base\NetworkException;, _(*9)

$otp = $_POST['otp']; $userPublicId = 'fetchedFromDatabaseOrSimilar';, _(*10)

$validator = new OathServerSuite\Validation\YubicoOtp\Validator('yubiCloudClientId', 'yubiCloudSecretKey'); try { $validator->validate($otp, $userPublicId); if ($validator->isValid()) { // Validation was successful } else { // Validation failed } } catch (NetworkException $exception) { // Accessing the YubiCloud webservice failed. }, _(*11)


---

### Oath – Google Authenticator style

#### Sharing the key name and secret

To allow authentication the client and server has to share a secret. Usually the server dices a secret and displays it alltogether with the key name and the authentication mechanism as a QR code.

[Google Authenticator](https://en.wikipedia.org/wiki/Google_Authenticator) and some other applications and hardware items – like the [Yubikey](https://www.yubico.com/products/yubikey-hardware/) – do not follow the standard by expecting the secrets not as hexadecimal but as [Base32](https://en.wikipedia.org/wiki/Base32) encoded data.

##### TOTP (Time-based One-time Password Algorithm)

```{php}
use ChromaX\OathServerSuite\SecretSharing\SharedSecretQrCodeProvider\SharedSecretQrCodeProvider;
use ChromaX\OathServerSuite\SecretSharing\SharedSecretUrlEncoder\TotpBase32SharedSecretUrlEncoder;
use ChromaX\QrCodeSuite\QrEncode\QrEncoder;

// Initialize Oath URL encoder for TOTP (Time-based One-time Password Algorithm)
$contentEncoder = new TotpBase32SharedSecretUrlEncoder();

// Setting the key name
$keyName = 'My Username';

// Setting the issuer name
$issuerName = 'Awesome Application';

// Setting a secret
// Attention: This is just an example value
// Use a random value of a proper length stored with your user credentials
$sharedSecret = openssl_random_pseudo_bytes(30);

// Getting the shared secret URL for usage wihtout QR code provision
$sharedSecretUrl = $contentEncoder->encode($keyName, $sharedSecret);

// Start QR code provision
// Initialize the QR code provider with Oath URL encoder for TOTP
$sharedSecretQrProvider = new SharedSecretQrCodeProvider(new TotpBase32SharedSecretUrlEncoder(), $keyName, $sharedSecret, $issuerName);

// Configure the QR code renderer for your needs
$sharedSecretQrProvider->getQrEncoder()
    ->setLevel(QrEncoder::QR_CODE_LEVEL_LOW)
    ->setTempDir('/path/to/a/writable/temp-dir');

// Persist the QR code PNG to the filesystem
$sharedSecretQrProvider->provideQrCode('/path/to/the/qrcode.png');

HOTP (HMAC-based One-time Password Algorithm)

```{php} use ChromaX\OathServerSuite\SecretSharing\SharedSecretQrCodeProvider\SharedSecretQrCodeProvider; use ChromaX\OathServerSuite\SecretSharing\SharedSecretUrlEncoder\HotpBase32SharedSecretUrlEncoder; use ChromaX\QrCodeSuite\QrEncode\QrEncoder;, _(*12)

// Initialize Oath URL encoder for HOTP (HMAC-based One-time Password Algorithm) $contentEncoder = new HotpBase32SharedSecretUrlEncoder();, _(*13)

// Setting the key name $keyName = 'My Username';, _(*14)

// Setting the issuer name $issuerName = 'Awesome Application';, _(*15)

// Setting a secret // Attention: This is just an example value // Use a random value of a proper length stored with your user credentials $sharedSecret = openssl_random_pseudo_bytes(30);, _(*16)

// Getting the shared secret URL for usage wihtout QR code provision $sharedSecretUrl = $contentEncoder->encode($keyName, $sharedSecret);, _(*17)

// Start QR code provision // Initialize the QR code provider with Oath URL encoder for HOTP $sharedSecretQrProvider = new SharedSecretQrCodeProvider(new HotpBase32SharedSecretUrlEncoder(), $keyName, $sharedSecret, $issuerName);, _(*18)

// Configure the QR code renderer for your needs $sharedSecretQrProvider->getQrEncoder() ->setLevel(QrEncoder::QR_CODE_LEVEL_LOW) ->setTempDir('/path/to/a/writable/temp-dir');, _(*19)

// Persist the QR code PNG to the filesystem $sharedSecretQrProvider->provideQrCode('/path/to/the/qrcode.png');, _(*20)


#### Validating a Oath one time password

##### TOTP (Time-based One-time Password Algorithm)

```{php}
$totp = $_POST['totp'];
$sharedSecret = 'fetchedFromDatabaseOrSimilar';

$validator = new OathServerSuite\Validation\Oath\TotpValidator();
$validator->validate($totp, $sharedSecret);
if ($validator->isValid()) {
    // Validation was successful
} else {
    // Validation failed
}

HOTP (HMAC-based One-time Password Algorithm)

```{php} $hotp = $_POST['hotp']; $sharedSecret = 'fetchedFromDatabaseOrSimilar'; $counter = (int)'fetchedFromDatabaseOrSimilar';, _(*21)

$validator = new OathServerSuite\Validation\Oath\HotpValidator(); $validator->validate($hotp, $sharedSecret, $counter); if ($validator->isValid()) { // Validation was successful } else { // Validation failed }, _(*22)


---

### Oath – following the standard

#### Sharing the key name and secret

##### TOTP (Time-based One-time Password Algorithm)

```{php}
use ChromaX\OathServerSuite\SecretSharing\SharedSecretQrCodeProvider\SharedSecretQrCodeProvider;
use ChromaX\OathServerSuite\SecretSharing\SharedSecretUrlEncoder\TotpSharedSecretUrlEncoder;
use ChromaX\QrCodeSuite\QrEncode\QrEncoder;

// Initialize Oath URL encoder for TOTP (Time-based One-time Password Algorithm)
$contentEncoder = new TotpSharedSecretUrlEncoder();

// Setting the key name
$keyName = 'My Username';

// Setting the issuer name
$issuerName = 'Awesome Application';

// Setting a secret
// Attention: This is just an example value
// Use a random value of a proper length stored with your user credentials
$sharedSecret = openssl_random_pseudo_bytes(30);

// Getting the shared secret URL for usage wihtout QR code provision
$sharedSecretUrl = $contentEncoder->encode($keyName, $sharedSecret);

// Start QR code provision
// Initialize the QR code provider with Oath URL encoder for TOTP
$sharedSecretQrProvider = new SharedSecretQrCodeProvider(new TotpSharedSecretUrlEncoder(), $keyName, $sharedSecret, $issuerName);

// Configure the QR code renderer for your needs
$sharedSecretQrProvider->getQrEncoder()
    ->setLevel(QrEncoder::QR_CODE_LEVEL_LOW)
    ->setTempDir('/path/to/a/writable/temp-dir');

// Persist the QR code PNG to the filesystem
$sharedSecretQrProvider->provideQrCode('/path/to/the/qrcode.png');

HOTP (HMAC-based One-time Password Algorithm)

```{php} use ChromaX\OathServerSuite\SecretSharing\SharedSecretQrCodeProvider\SharedSecretQrCodeProvider; use ChromaX\OathServerSuite\SecretSharing\SharedSecretUrlEncoder\HotpSharedSecretUrlEncoder; use ChromaX\QrCodeSuite\QrEncode\QrEncoder;, _(*23)

// Initialize Oath URL encoder for HOTP (HMAC-based One-time Password Algorithm) $contentEncoder = new HotpSharedSecretUrlEncoder();, _(*24)

// Setting the key name $keyName = 'My Username';, _(*25)

// Setting the issuer name $issuerName = 'Awesome Application';, _(*26)

// Setting a secret // Attention: This is just an example value // Use a random value of a proper length stored with your user credentials $sharedSecret = openssl_random_pseudo_bytes(30);, _(*27)

// Getting the shared secret URL for usage wihtout QR code provision $sharedSecretUrl = $contentEncoder->encode($keyName, $sharedSecret);, _(*28)

// Start QR code provision // Initialize the QR code provider with Oath URL encoder for HOTP $sharedSecretQrProvider = new SharedSecretQrCodeProvider(new HotpSharedSecretUrlEncoder(), $keyName, $sharedSecret, $issuerName);, _(*29)

// Configure the QR code renderer for your needs $sharedSecretQrProvider->getQrEncoder() ->setLevel(QrEncoder::QR_CODE_LEVEL_LOW) ->setTempDir('/path/to/a/writable/temp-dir');, _(*30)

// Persist the QR code PNG to the filesystem $sharedSecretQrProvider->provideQrCode('/path/to/the/qrcode.png');, _(*31)


#### Validating a Oath one time password

##### TOTP (Time-based One-time Password Algorithm)

```{php}
$totp = $_POST['totp'];
$sharedSecret = 'fetchedFromDatabaseOrSimilar';

$validator = new OathServerSuite\Validation\Oath\TotpValidator();
$validator->validate($totp, $sharedSecret);
if ($validator->isValid()) {
    // Validation was successful
} else {
    // Validation failed
}

HOTP (HMAC-based One-time Password Algorithm)

```{php} $hotp = $_POST['hotp']; $sharedSecret = 'fetchedFromDatabaseOrSimilar'; $counter = (int)'fetchedFromDatabaseOrSimilar';, _(*32)

Exception handling

PHP Oath Server Suite provides different exceptions – some provided by the PHP Common Exceptions project – for proper handling.
You can find more information about PHP Common Exceptions at Github., _(*34)

Contribution

Contributing to our projects is always very appreciated.
But: please follow the contribution guidelines written down in the CONTRIBUTING.md document., _(*35)

License

PHP Oath Server Suite is under the MIT license., _(*36)

The Versions

06/02 2017

dev-master

9999999-dev http://markenwerk.net/

A collection of classes to provide second factor authentication like Yubico OTP (Yubikey), Oath (TOTP, HOTP, GoogleAuthenticator) server-side.

library oath-server-suite

A collection of classes to provide second factor authentication like Yubico OTP (Yubikey), Oath (TOTP, HOTP, GoogleAuthenticator) server-side.

markenwerk/oath-server-suite

The README.md

PHP Oath Server Suite

Installation

Yubico OTP (YubiCloud)

Validating a Yubico one time password

HOTP (HMAC-based One-time Password Algorithm)

HOTP (HMAC-based One-time Password Algorithm)

HOTP (HMAC-based One-time Password Algorithm)

HOTP (HMAC-based One-time Password Algorithm)

Exception handling

Contribution

License

The Versions

dev-master

The Requires

The Development Requires

by Martin Brecht-Precht

4.0.4

The Requires

The Development Requires

by Martin Brecht-Precht

4.0.3

The Requires

The Development Requires

by Martin Brecht-Precht

4.0.2

The Requires

The Development Requires

by Martin Brecht-Precht

4.0.1

The Requires

The Development Requires

by Martin Brecht-Precht

4.0.0

The Requires

The Development Requires

by Martin Brecht-Precht

3.0.13

The Requires

The Development Requires

by Martin Brecht-Precht

3.0.12

The Requires

The Development Requires

by Martin Brecht-Precht

3.0.11

The Requires

The Development Requires

by Martin Brecht-Precht

3.0.10

The Requires

The Development Requires

by Martin Brecht-Precht

3.0.9

The Requires

The Development Requires

by Martin Brecht-Precht

3.0.8

The Requires

The Development Requires

by Martin Brecht-Precht

3.0.7

The Requires

The Development Requires

by Martin Brecht-Precht

3.0.6

The Requires

The Development Requires

by Martin Brecht-Precht

3.0.5

The Requires

The Development Requires

by Martin Brecht-Precht

3.0.4

The Requires

The Development Requires

by Martin Brecht-Precht