totp expire time

[UfkumDeniz]

Hi,

First of all "eline sağlık" I can easily read and understand your code.

I need a OTP with expire time 180 seconds. At first, I thought that totp is about expiration duration but as I test, I saw that it is not the case.

Do you know how to overcome this situation?

To test expiration I used following code block. First, I tried 30 seconds and results were unstable.

try {
  String code = totpGenerator.now();
  System.out.println("Generated code: " + code);
  for (int i = 0; i <= 6; i++) {
    boolean verify = totpGenerator.verify(code); // true
    System.out.println(LocalDateTime.now() + " " + (10000 * i) / 1000 + "sec. otp result is: " + verify);

    Thread.sleep(10000);
  }

Generated code: 480366
2024-05-10T11:41:39.821 0sec. otp result is: true
2024-05-10T11:41:49.831 10sec. otp result is: true
2024-05-10T11:41:59.836 20sec. otp result is: true
2024-05-10T11:42:09.852 30sec. otp result is: false
2024-05-10T11:42:19.857 40sec. otp result is: false

Generated code: 915372
2024-05-10T11:42:57.518 0sec. otp result is: true
2024-05-10T11:43:07.529 10sec. otp result is: false
2024-05-10T11:43:17.541 20sec. otp result is: false
2024-05-10T11:43:27.548 30sec. otp result is: false
2024-05-10T11:43:37.557 40sec. otp result is: false

[BastiaanJansen]

Hi, thanks for you kind words!

It is correct that the expiration duration does not exactly match your expectation, because the token belongs to a specific time step. You could generate a token with a custom Clock object you control. However I don't think your use case is supported based on RFC6238.