All Updates This Update
Anton Y (Customer) asked a question.
Open Token - how to recognize ?

Hi - 

 

Is there a way in java API to check if a string is an OpenToken, no matter valid or invalid?

Hi - 

 

Is there a way in java API to check if a string is an OpenToken, no matter valid or invalid?

More >
Answer   -   Like Share   -   February 2, 2016 at 11:56 AM
Hi Anton, I believe (but could be wrong, maybe one of the resident Pingians can confirm) that the OpenToken SDK will by default validate the OpenToken token when it parses it, so it'll probably reject anything that doesn't.

The spec of OpenToken is published at http://tools.ietf.org/html/draft-smith-opentoken-01 and section 3.2 deals with decoding. You could follow the instructions as far as you require based on how certain you need to be if it's an OpenToken.

However there are also some examples in the spec and they all start with UFRLAQxx, because all the OTK strings share a common header and version number.

The strange thing is that the first four characters decode to "PTK" whereas the spec says it should be "OTK" so I'm not sure if I'm missing something there...? Maybe the spec examples are wrong? If you base64-encode "OTK" you get T1RL, which in theory is what you should look for...
Like   -   February 7, 2016 at 10:54 PM
Oops, took too long to write my response... Pavi's answer is definitely the reliable way, so it comes down to whether you want to know whether something IS an OpenToken or if it just looks like it could be one... If you get a malformed token or one where the encryption is invalid, though, I guess the approach you take will depend on how you want to handle such scenarios.
Like   -   February 8, 2016 at 12:02 AM
Thanks
Like   -   February 9, 2016 at 1:26 PM
Good question Anton. I'm tagging the @PingFederate Q&A group to get more eyes on it.
Like   -   February 4, 2016 at 9:07 PM
Pavi K 
The decode method in com.pingidentity.opentoken.Token class can be used to verify if a String is an opentoken or not.

MultiMap decode(String token, com.pingidentity.opentoken.key.KeyManager keyman, boolean useSunJCE, boolean useVerboseErrorMessages)

This method decodes and extracts the key/value(s) pairs, of an expired or valid opentoken.
Like   -   February 7, 2016 at 10:43 PM
Hi Anton, I believe (but could be wrong, maybe one of the resident Pingians can confirm) that the OpenToken SDK will by default validate the OpenToken token when it parses it, so it'll probably reject anything that doesn't.

The spec of OpenToken is published at http://tools.ietf.org/html/draft-smith-opentoken-01 and section 3.2 deals with decoding. You could follow the instructions as far as you require based on how certain you need to be if it's an OpenToken.

However there are also some examples in the spec and they all start with UFRLAQxx, because all the OTK strings share a common header and version number.

The strange thing is that the first four characters decode to "PTK" whereas the spec says it should be "OTK" so I'm not sure if I'm missing something there...? Maybe the spec examples are wrong? If you base64-encode "OTK" you get T1RL, which in theory is what you should look for...
Like   -   February 7, 2016 at 10:54 PM
Oops, took too long to write my response... Pavi's answer is definitely the reliable way, so it comes down to whether you want to know whether something IS an OpenToken or if it just looks like it could be one... If you get a malformed token or one where the encryption is invalid, though, I guess the approach you take will depend on how you want to handle such scenarios.
Like   -   February 8, 2016 at 12:02 AM
Thanks
Like   -   February 9, 2016 at 1:26 PM