Welcome to the SRP Forum! Please refer to the SRP Forum FAQ post if you have any questions regarding how the forum works.
srp_Hash() returning different output than expected
As part of implementing oauth, I have to hash and encode a random string of characters which are later verified by the third party.
I'm receiving an error
I was thinking I was somehow sending the wrong thing, but after testing using Postman, it appears that srp_hash is providing a subtly different output to their version.
I'm calling srp_hash using these parameters
For example, this string
Utillising an online code generator, the same string is returned as
In case it's not obvious, "+" is replaced with "-" and "/" is replaced with "_".
The requirements are specified as
The online tool for performing the hash that returns a value that works can be found here pkce-generator/
Is there anything obvious I've overlooked?
Hold that thought!
As I finished typing, I noticed the "Base64URL" and googled the differences.
I can make the appropriate changes now, but I'll leave this here in case someone else can learn from my ignorance.
And I guess it's worth asking, does srp_hash have an undocumented Base64URL option?
I'm receiving an error
Transformed code verifier does not match code challenge
which basically means when I pass the string and they hash/encode it, it doesn't match the encoded version I sent previously.I was thinking I was somehow sending the wrong thing, but after testing using Postman, it appears that srp_hash is providing a subtly different output to their version.
I'm calling srp_hash using these parameters
codeChallenge = SRP_Hash(theCode, 'SHA-256', 'BASE64')For example, this string
czskhjhwhonrgvamtk8224474843883642743586266462367
is returned from srp_hash as fjZ+3wGKt75TgQTB9tYlxn62rZjlnZ/mLmbwBmua/As
Utillising an online code generator, the same string is returned as
fjZ-3wGKt75TgQTB9tYlxn62rZjlnZ_mLmbwBmua_As
In case it's not obvious, "+" is replaced with "-" and "/" is replaced with "_".
The requirements are specified as
The “code challenge” is created by performing a SHA256 hash on the code verifier and then Base64url encoding the hash
The online tool for performing the hash that returns a value that works can be found here pkce-generator/
Is there anything obvious I've overlooked?
Hold that thought!
As I finished typing, I noticed the "Base64URL" and googled the differences.
I can make the appropriate changes now, but I'll leave this here in case someone else can learn from my ignorance.
And I guess it's worth asking, does srp_hash have an undocumented Base64URL option?
Comments
I haven't had my morning coffee. You said SRP_Hash, not SRP_Encode. Correct, we forgot to update the documentation on that page. But anything supported by SRP_Encode is supported in the the Encode parameter. I updated that page. Sorry for the confusion.
Also, is there a way to tell it to omit the padding? I see that srp_encode() can omit crlf$ which almost does the job but not quite.
As before, I can handle this all myself now, but it would be nice if the one call, (to srp_encode() at least), did the complete job.
Feel free to slap me if I'm just missing something in my reading/understanding.