problem validating code with non-default values

[andshey]

CodeVerifier works all fine for me with the default values for HashingAlgorithm = SHA1, and time period validity = 30. With anyhing different, however, CodeVerifier is failing to verify codes for me.

For my testing i use both - your CodeGenerator.generate() and user-side MFA mobile apps (eg, RedHat FreeOTP 1.5, Duo Mobile 3.30).

As long as your CodeGenerator will still validate its codes with SHA256 or SHA512 with time period 30, when it comes to a period validity any other than 30 it seems to always fail. When I use the above mentioned mobile apps they seem to work ONLY with the default SHA1 and time period validity of 30. Anything different fails for me.

I do use the same Hashing and Period validity values when creating QRCode and then CodeGenerator/CodeVerifier for verification.

[Stexxen]

Have you seen this https://github.com/samdjstevens/java-totp/issues/27

Also can you provide a test case and show the results from oathtool to show the different values

[andshey]

I'll have a look at #27 regarding the apps, thanks. In the meantime I need to apologise and make a correction the CodeGenerator does successfully validate its codes with different validity periods - my mistake in testing

[andshey]

I confirm version 1.6.1 fixes the issue and now the codes generated by my android mobile apps andOTP and FreeOTP for SHA256 and SHA512 are successfully validated. Duo Mobile app fails but then it just looks it doesn't support anything but SHA1. Many Thanks! I am closing the ticket.

[samdjstevens]

Thanks @andshey I think I'm going to raise an issue/PR to add some docs around the bad support for the different hashing algorithms in some apps as soon as I get the time.