Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adds support for Okta Verify risky login challenge #793

Open
wants to merge 13 commits into
base: master
Choose a base branch
from
Open

Adds support for Okta Verify risky login challenge #793

Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
42abee5
Adds support for Okta Verify risky login challenge
duanewaddleAFS Mar 23, 2022
13ec7d7
Merge branch 'master' into bugfix/dw_add_number_challeng
mapkon Mar 26, 2023
97e3282
Merge branch 'master' into bugfix/dw_add_number_challeng
mapkon Mar 27, 2023
4e795d4
Merge branch 'master' into bugfix/dw_add_number_challeng
mapkon Mar 29, 2023
bf28200
Merge branch 'master' into bugfix/dw_add_number_challeng
mapkon Mar 29, 2023
ff3d620
Refactoring verifyMFA to make testing easier
duckfez Apr 3, 2023
5a8821e
Merge branch 'master' into bugfix/dw_add_number_challeng
mapkon Apr 3, 2023
68b588f
Merge branch 'master' into bugfix/dw_add_number_challeng
mapkon Apr 4, 2023
687082e
Merge branch 'master' into bugfix/dw_add_number_challeng
mapkon Apr 4, 2023
c683581
Merge branch 'master' into bugfix/dw_add_number_challeng
mapkon Apr 5, 2023
0536302
Merge branch 'master' into bugfix/dw_add_number_challeng
mapkon Apr 7, 2023
39b9163
Merge branch 'master' into bugfix/dw_add_number_challeng
mapkon Apr 9, 2023
792eace
Merge branch 'master' into bugfix/dw_add_number_challeng
mapkon Jun 18, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
89 changes: 50 additions & 39 deletions pkg/provider/okta/okta.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -840,45 +840,7 @@ func verifyMfa(oc *Client, oktaOrgHost string, loginDetails *creds.LoginDetails,

case IdentifierPushMfa:

log.Println("Waiting for approval, please check your Okta Verify app ...")

// loop until success, error, or timeout
body := challengeContext.challengeResponseBody
for {
// on 'success' status
if gjson.Get(body, "status").String() == "SUCCESS" {
log.Println(" Approved")
logger.Debugf("func verifyMfa | okta exiry: %s", gjson.Get(body, "expiresAt").String()) // DEBUG
return gjson.Get(body, "sessionToken").String(), nil
}

// otherwise probably still waiting
switch gjson.Get(body, "factorResult").String() {

case "WAITING":
time.Sleep(3 * time.Second)
logger.Debug("Waiting for user to authorize login")
updatedContext, err := getMfaChallengeContext(oc, mfaOption, resp)
if err != nil {
return "", err
}
body = updatedContext.challengeResponseBody

case "TIMEOUT":
log.Println(" Timeout")
return "", errors.New("User did not accept MFA in time")

case "REJECTED":
log.Println(" Rejected")
return "", errors.New("MFA rejected by user")

default:
log.Println(" Error")
return "", errors.New("Unsupported response from Okta, please raise ticket with saml2aws")

}

}
return verifyOktaPushMfa(oc, resp, mfaOption, challengeContext)

case IdentifierDuoMfa:
duoHost := gjson.Get(challengeContext.challengeResponseBody, "_embedded.factor._embedded.verification.host").String()
Expand Down Expand Up @@ -1300,6 +1262,55 @@ func verifyMfa(oc *Client, oktaOrgHost string, loginDetails *creds.LoginDetails,
return "", errors.New("no mfa options provided")
}

func verifyOktaPushMfa(oc *Client, resp string, mfaOption int, challengeContext *mfaChallengeContext) (string, error) {

fmt.Print("Waiting for approval, please check your Okta Verify app ...")

displayedChallegePrompt := false
// loop until success, error, or timeout
body := challengeContext.challengeResponseBody
for {
// on 'success' status
if gjson.Get(body, "status").String() == "SUCCESS" {
fmt.Println(" Approved")
logger.Debugf("func verifyMfa | okta exiry: %s", gjson.Get(body, "expiresAt").String()) // DEBUG
return gjson.Get(body, "sessionToken").String(), nil
}

// otherwise probably still waiting
switch gjson.Get(body, "factorResult").String() {

case "WAITING":
correctAnswer := gjson.Get(body, "_embedded.factor._embedded.challenge.correctAnswer")
if !displayedChallegePrompt && correctAnswer.Exists() {
fmt.Printf(" Number Challenge Value is %d ...", correctAnswer.Int())
displayedChallegePrompt = true
}
time.Sleep(3 * time.Second)
logger.Debug("Waiting for user to authorize login")
updatedContext, err := getMfaChallengeContext(oc, mfaOption, resp)
if err != nil {
return "", err
}
body = updatedContext.challengeResponseBody

case "TIMEOUT":
log.Println(" Timeout")
return "", errors.New("User did not accept MFA in time")

case "REJECTED":
log.Println(" Rejected")
return "", errors.New("MFA rejected by user")

default:
log.Println(" Error")
return "", errors.New("Unsupported response from Okta, please raise ticket with saml2aws")

}

}

}
func extractSessionToken(r io.Reader) (string, error) {
bb, err := io.ReadAll(r)
if err != nil {
Expand Down
Loading