Demystifying Time-based OTP

Regarding the last section "How to generate a QR code?", Stan_PIRON_F5 shared a new approach that I show you below.

Taking into account that our user secret is stored in our Active Directory, one idea is to configure a new VS with an access policy (APM). This access policy could get the encrypted secret from the AD using an AD Query. After that, it would only be necessary to configure one iRule to decrypt that secret and present a web page with the QR Code (using javascript). Here is one example:

when RULE_INIT {
	# Symmetric Key to decrypt the User Secrets
    set static::b64key "pnnqLfua6Mk/Oh3xqWV/6NTLd0r0aYaO4je3irwDbng="
    set static::KEY [b64decode $static::b64key]
}

when ACCESS_ACL_ALLOWED {
	# Get domain and user from logon page
	set DOMAIN [ACCESS::session data get "session.logon.last.domain"]
	set USER_NAME [ACCESS::session data get "session.logon.last.username"]
	# Get the encrypted secret from the AD query
	if {[set aes_cipherstring [b64decode [ACCESS::session data get session.ad.last.attr.pager]]] equals ""} {return}
	# Split IV/CipherText
	binary scan $aes_cipherstring a16a* aes_iv aes_ciphertext
	# Decrypt User Secret
	set USER_KEY [CRYPTO::decrypt -alg aes-256-cbc -key $static::KEY -iv $aes_iv $aes_ciphertext]
	# Reply to the user with an HTML page with the QRCode
	ACCESS::respond 200 content "<html>
	<body>
	<h1>Your TOTP QR Code is: </h1>
	<input id=\"label\" type=\"hidden\" value=\"$DOMAIN\" />
	<input id=\"user\" type=\"hidden\" value=\"$USER_NAME\" />
	<input id=\"key\" type=\"hidden\" value=\"$USER_KEY\" />
	<input id=\"digits\" type=\"hidden\" value=\"\" />
	<input id=\"period\" type=\"hidden\" value=\"\" />
	<div id=\"url\"></div>
	<div id=\"qrcode\"></div>
	<script type=\"text/javascript\" src=\"https://dan.hersam.com/tools/js/qrcodejs/qrcode.min.js\"></script>
	<script type=\"text/javascript\" src=\"https://dan.hersam.com/tools/js/gen-qr-code.js\"></script>
	</body>
	</html>"
}