TiQR Token reflections and possible improvements

Hi all,

I was digging and playing a little bit with this type of Auth Token in the latest period.

In this moment, I do not know if I can consider properly a bug or just an issue based on the configuration your are going to create.

I have all the config part in place from a long time and also some TiQR token, that sometime I’m using for doing some tests.

In the latest period I was observing strange behaviours during authentication with the same mobile App (‎tiqr on the App Store) in conjunction with the PI WebUI (“login_mode”: “privacyIDEA”) and/or with a simple bash script for testing the token and the authentication process.

With the bash script the authentication was always working but not with the PI web site.

At the end I discovered, analyzing the content of the QR code, a difference between the QR code from PI and from the bash script.

For studying and understanding I was using this docu : TiQR Token — privacyIDEA 3.6.2 documentation
and also the PDF linked in that page.

In the PDF is mentioned for the authentication process a QR code is displayed with this schema :

<challenge>[?<return Url>]

The return URL is an optional field and not object of the discussion.

Analyzing the code here : privacyidea/tiqrtoken.py at master · privacyidea/privacyidea · GitHub

I find out that at the end inside the QR code is also present the “service_displayname”. As in the WebUI in PI is not prevented the usage of white spaces (TiQR Service Displayname under Config → Tokens → TiQR), in case of the presence of white spaces the QR Code is generated with those present and as per result an error in authentication. Just checked adding a dash instead of the space. In this case the auth is working prefectly.

The script was always working because it has inside a sort of auto fix without knowing :rofl: so the white spaces were truncating the content.

I also analyzed using the https://demo.tiqr.org demo website the content of the QR code. I discovered that they are using at the end of the schema “service_identifier”.

So making a small change in the PI code mentioned before and using “service_identifier” in this line privacyidea/tiqrtoken.py at master · privacyidea/privacyidea · GitHub instead of “service_displayname” everything is starting to work like a charm and also the Mobile App is super happy during the authentication process.

Personally I know only this App (also free for usage), but could be that also other kind of App will benefit from that and/or will not have problems in regards.

I’m sorry for the long post, but I was trying to explain as much as possible the concept and the background of the reflections.
So why not considering to make this small change/fix in the code?

Best Regards,

Do you have a github account and would you mind opening an issue for that here

It could also simply be that we miss to urlencode the tiqrauth.

Hi, for sure.

Here the link for the issue : TiQR Token Authentication with mobile App