[feature request] react to OATH requests

[ftpd]

Hey.
Is it possible to add reaction to OATH module? For example, I would like to get notification after ykman oath account code <service name>.

[maximbaz]

Hey, I don't use OATH, could you help me with repro steps? If I try simply the command above, I don't get touch request from yubikey, it simply gives the answer immediately, and I can't find how to enable touch policy?

$ ykman oath accounts code bla
bla  194431

[ftpd]

OATH can require the touch or not. I don't know how did you create bla entry, but ykman oath accounts add has a -t switch to require touch. Also in the official GUI app it can be enabled/disabled per code/service.

After creating an entry that require touch, I have:

~ ❯ ykman oath accounts code twitch
Touch your YubiKey...

[maximbaz]

Gotcha, -t is exactly what I missed, many thanks, I can reproduce this now, we should definitely try to support this 👍 If you or anyone else want to give it a go, let me know here in the ticket, we can try to research something together and find a way forward.

[ftpd]

I'm sorry, but I'm just and end-user with zero knowledge of Go. I can contribute with extensive testing, but unfortunately you can't rely on me in terms of actual coding.

[maximbaz]

That's completely fine, ideas and testing, your helpful repro steps, are all also very valuable 👍

[maximbaz]

@ftpd could you please confirm how you use this feature in your every day life? Do you just type ykman oauth command in terminal / have some shortcut for it? Or is there a GUI app that can retrieve the key? The reason I'm asking is because a quick and dirty solution to this request could simply be an infinite loop that checks if ykman oauth ... command is running for longer than 1 or 2 seconds - if it is, it means Yubikey is waiting for a touch. We use something similar for one of the other methods today. But this won't work directly if there are multiple ways to get the code, not only ykman oauth.

[ftpd]

My main usage is: every morning when I run aws-vault for the first time this day (I'm a DevOps), I have to enter an OTP code. This is my main use case, I have a keyboard shortcut to run a simple scripts containing ykman oath account code work-aws and put the result into the clipboard.

There is indeed also a gui: https://www.yubico.com/products/yubico-authenticator/ and I use it from time to time when I'm logging into a website requiring TOTP code - but I won't say I do it often and I think no one does.

For a quick workaround I can of course create a notification with notify-send when I start my script - but it would be nice to have it in the detector, so each time I retrieve a code (whatever if in GUI or from a CLI script) I get a notification. Let's say it's just consistent ;-)