OTP -> managmentAPI-> Base32 Secret validator error

I’m having issues with OTP self setup using Managment API getting error for secret validation…

What’s the requirements from Auth0 side for secret passed in request? I create and pass valid Base32 secret and sometimes i get error:

Not a valid Base32-encoded string on property: totp_secret.

But string is valid i checked multiple times an also using online converters etc… it is valid string so what other requirements are from Auth0 validator side? Length? Or anything else because all strings are base32 encoded as it is required and contains only valid character so what is issue of validation?

Thx for any response

Hi @damikun

How are you passing the byte string? In my case it doesn’t work when I use functions like “string”.encode() or b32encode(“string”) but it works when I pass the string directly. So I think the confusion comes from the byte string naming. Try with a “regular” string.

1 Like

I found out solution the issue is your custom requirement what I was expecting… after generating base32 you need to have base32 without any “=” this looks like issue…

Pleas add this to Docs this is kind something that you can spend hours debugging!

@sylvainf just to your question…
Be careful about passing not base32 string… it will take it but you will be not able to perform MFA later…because your backend will try to decode not encoded string…

Small code example

    private string GenerateRanomSecret()
        var gen = RandomNumberGenerator.Create();

        byte[] bytes = new byte[16];

        var generated = Base32Encoding.ToString(bytes);

        return generated.Replace("=", ""); // <- This solved issues and Auth0  validator is happy

Hi @damikun, apologies for being unclear. Yes this is what I meant by the “confusion about the byte string naming”, you need a regular string type - base32 encoded but still a string, as opposed to what some languages like Python call a byte type string.

As for equal signs at the end of the base32 string, they are padding characters in encoded strings - I wasn’t aware that they needed to be removed for Auth0 to accept the payload. I will definitely send this up to our engineers & doc team - thanks a lot for spotting this and for taking the time to let us know.


Teamwork make the dream work!

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.