I was digging and playing a little bit with this type of Auth Token in the latest period.
In this moment, I do not know if I can consider properly a bug or just an issue based on the configuration your are going to create.
I have all the config part in place from a long time and also some TiQR token, that sometime I’m using for doing some tests.
In the latest period I was observing strange behaviours during authentication with the same mobile App (tiqr on the App Store) in conjunction with the PI WebUI (“login_mode”: “privacyIDEA”) and/or with a simple bash script for testing the token and the authentication process.
With the bash script the authentication was always working but not with the PI web site.
At the end I discovered, analyzing the content of the QR code, a difference between the QR code from PI and from the bash script.
For studying and understanding I was using this docu : 22.214.171.124.18. TiQR Token — privacyIDEA 3.6.2 documentation
and also the PDF linked in that page.
In the PDF is mentioned for the authentication process a QR code is displayed with this schema :
tiqrauth://[<identityIdentifier>@] <serviceIdentifier>/ <sessionKey>/ <challenge>[?<return Url>]
The return URL is an optional field and not object of the discussion.
Analyzing the code here : privacyidea/tiqrtoken.py at master · privacyidea/privacyidea · GitHub
I find out that at the end inside the QR code is also present the “service_displayname”. As in the WebUI in PI is not prevented the usage of white spaces (TiQR Service Displayname under Config → Tokens → TiQR), in case of the presence of white spaces the QR Code is generated with those present and as per result an error in authentication. Just checked adding a dash instead of the space. In this case the auth is working prefectly.
The script was always working because it has inside a sort of auto fix without knowing so the white spaces were truncating the content.
I also analyzed using the https://demo.tiqr.org demo website the content of the QR code. I discovered that they are using at the end of the schema “service_identifier”.
So making a small change in the PI code mentioned before and using “service_identifier” in this line privacyidea/tiqrtoken.py at master · privacyidea/privacyidea · GitHub instead of “service_displayname” everything is starting to work like a charm and also the Mobile App is super happy during the authentication process.
Personally I know only this App (also free for usage), but could be that also other kind of App will benefit from that and/or will not have problems in regards.
I’m sorry for the long post, but I was trying to explain as much as possible the concept and the background of the reflections.
So why not considering to make this small change/fix in the code?