Your HOTPGenerator#getURI method is mighty wrong.
- Special characters in the components (label, issuer) must be URI-encoded, i.e. replace
" " by "%20" (and not by "+") and so on.
Possible solution: Apply following encoding to the label parts (issuer and account) and to the issuer parameter. Note that it is valid to encode the : in the label as well, but this is not required.
URLEncoder.encode(s, StandardCharsets.UTF_8)
.replace("+", "%20")
.replace("%21", "!")
.replace("%27", "'")
.replace("%28", "(")
.replace("%29", ")")
.replace("%7E", "~")
- The secret must be Base32-encoded, e.g.
new Base32().encodeToString(secret) using Apache Commons Codec Base32 implementation
Your
HOTPGenerator#getURImethod is mighty wrong." "by"%20"(and not by"+") and so on.Possible solution: Apply following encoding to the label parts (issuer and account) and to the issuer parameter. Note that it is valid to encode the
:in the label as well, but this is not required.new Base32().encodeToString(secret)using Apache Commons Codec Base32 implementation