Wednesday, September 11, 2013

OpenAM OATH Authentication - java.util.NoSuchElementException

There is a new authentication module in OpenAM 10.1-Xpress - OATH authentication.

And there is a nice wiki which illustrates how to integrate OATH authentication module with Google Authenticator. (Read here) That gets me interested! I could implement this for our company's intranet portal which is protected by OpenAM.

As mentioned in the wiki,

The key attributes we need to set for Google Authenticator are:
  • Auth Level.  This is a higher strength multi-factor module, so we assign a value of 10 here. 
  • One Time Password Length: This is the length of the OTP that will be displayed by the Google Authenticator application. Six is the default for Authenticator. 
  • Minimum secret key length: I used 8 for this example, which is too short for production. This is the length (in hex characters) of the encoded secret. 
  • Secret Key Attribute: This is the name of the ldap attribute where the secret key is stored. For this example I am using the "title" attribute. This isn't a great choice, and for production you would extend your ldap schema with a dedicated attribute. 
  • OATH Algorithm:  TOTP for Google Authenticator
  • Last Login Time Attribute:  The OATH TOTP module needs to store the last login timestamps (UNIX long time) in this attribute.  I am using "description" but again you should extend your schema with a dedicated attribute.

Now, one thing to take note is: besides keying in the Secret Key attribute into the LDAP server ("title" is used in the example), one has to key in a default value for Last Login Time attribute ("description").

Otherwise, you'll hit into the same error as what I had encountered:

amAuthOATH:09/11/2013 03:57:01:432 PM SGT: Thread[ajp-apr-,5,main]
ERROR: OATH.checkOTP() : checkOTP process failed :
        at java.util.HashMap$HashIterator.nextEntry(
        at java.util.HashMap$
        at org.forgerock.openam.authentication.modules.oath.OATH.checkOTP(
        at org.forgerock.openam.authentication.modules.oath.OATH.process(
        at com.sun.identity.authentication.spi.AMLoginModule.wrapProcess(
        at com.sun.identity.authentication.spi.AMLoginModule.login(

This will always happen for the initial login after OATH is configured because the attribute is empty. The code could have been better written to take care of this special scenario.



  1. I've reported a bug for this now: