DEV Community

Cover image for Easy-TOTP, A Time-Based authorization token generator library for C#
Ali Alp
Ali Alp

Posted on

Easy-TOTP, A Time-Based authorization token generator library for C#

One easy and secure way to communicate between your web application and your Restful backend services in a micro-service driven architecture is to use a dynamic API-KEY via Time-Based One Time algorithm instead of a constant API Key or JSON Token. each time that the web application sends a request to any of the Restful backend servers, it will include a new API Key which has been generated by the Easy TOTP library. On the service side, by using the same Easy TOTP library the same API-Key can be generated to be compared with the generated API_Key by the web application in order to authenticate the request.

Easy-TOTP 's Benefits

  • Easy to implement and use
  • Lightweight
  • Secure
  • Flexible

The API-Keys generated by Easy TOTP are valid in short time span which will be given to the library on the initialization as "Time Step".

Easy TOTP flow

Prerequisite

Time-Based One Time Password (TOTP)

Advanced Encryption Standard (AES)

Resources

Github Repository

Nuget Package

Usage

string Key = "12345678901234567890123456789012"; //32 chars

var totp = new Totp()
    .Secret(Key)
    .Length(8)
    .ValidFor(TimeSpan.FromSeconds(5));

var output = totp.Compute();

//output = 12345678

Enter fullscreen mode Exit fullscreen mode

Usage With Encryption

string Key = "12345678901234567890123456789012"; //32 chars
string _aesKey = "12345678901234567890123456789012"; //32 chars
string _aesIv = "1234567890123456"; //16 chars

var totp = new Totp()
    .Secret(Key)
    .Length(8)
    .ValidFor(TimeSpan.FromSeconds(5))
    .UseDefaultEncryptor(_aesKey,_aesIv);

var output = Convert.ToBase64String(totp.ComputeEncrypted());

//output = DV/tzyq8YG+BRZGSpOVNZQ==

Enter fullscreen mode Exit fullscreen mode

Happy coding :)

Top comments (2)

Collapse
 
zandhaai profile image
Evert Wiesenekker • Edited

Great article because you saved me from a problem that my Blazer Server website cannot receive/send secure cookies out of the box. It seems to be possible by creating a claims principal but the examples I found were way too complicated.
Because Blazer runs server side I can use your solution.

Collapse
 
alialp profile image
Ali Alp

very glad to hear that :)