Token generator on my app. - OpenEdge Development - Forum

Posted by OctavioOlguin on 21-Dec-2015 11:07

I wonder if somebody had used the electronic (now digital) token generator, like the one the banks use.

I was asked to implement that in order to minimize the ability of impersonating the users in the system, beside the password.

How is it being addressed at this time on different companies?

What we're looking is to be able to bind the user to the login recorded on the system.

OpenEdge Development - Forum

All Replies

Posted by Tim Kuehn on 21-Dec-2015 11:20

If you create a client-princpal object, that'll give you a sealed token you can use for an authorized user.

The CP object also has a SESSION-ID attribute you can then pass to the client and the client can pass back in on each API call. The SESSION-ID can then be used to get the CP object, verify that it hasn't expired, and then used to assert the user's ID for the duration of the call.

Posted by Matt Baker on 21-Dec-2015 14:53

Do you have a specific token system you are required to use?

There are open two-factory systems such as TOTP that aren’t very complex to implement.

For phone based implementation, the one from Google, Google Authenticator, is one possibility. There are similar for apple devices.

There are a few java implementation to generate the server side tokens that work with the mobile client app., I’m sure it wouldn’t be terribly difficult to clone it in ABL.

https://github.com/wstrange/GoogleAuth

Someone on another forum link already has it working by calling out to an .exe

community.progress.com/.../11132

Should be pretty easy to rebuild this in ABL, as its mostly just an HMAC against a shared key + unix epoc time and a bit of munging to reduce the amount of data.

Explained here:

http://jacob.jkrall.net/totp/

Sharing the secret value is normally done through a QR code so you’d need some way to display a QR code so the mobile client can read it.

Lots of discussion on stackoverflow:

stackoverflow.com/.../is-there-a-tutorial-on-how-to-implement-google-authenticator-in-net-apps

Posted by OctavioOlguin on 22-Dec-2015 14:59

Thanks for a such detailed info... I'll check your deep info.

Posted by christian.bryan@capita.co.uk on 19-Mar-2019 09:54

Did anyone create a native ABL library for this?

This thread is closed