Closed mjreed-wbd closed 1 year ago
When attempting to test this in a simulated offline mode (i.e., enabled 'Airplane Mode' on iPhone), I am prompted with the below trace (URL obfuscated). This is after a timeout period of the initial would-be push notification. If using a TOTP-only Okta token (i.e., registering without using the QR code, so no push enabled), gimme-aws-creds works just fine.
In the below example, the Okta Verify TOTP code was entered at the prompt following the initial timeout period. I then waited for it to change and typed the 2nd TOTP code. (NOTE: The same behavior is observed when simply retyping the same TOTP code twice, as well.)
Using password from keyring for xxxxx.xxxx@xxxxx.com
Enter verification code:
Enter verification code:
Traceback (most recent call last):
File "/usr/local/bin/gimme-aws-creds", line 17, in <module>
GimmeAWSCreds().run()
File "/usr/local/lib/python3.9/site-packages/gimme_aws_creds/main.py", line 469, in run
self._run()
File "/usr/local/lib/python3.9/site-packages/gimme_aws_creds/main.py", line 818, in _run
for data in self.iter_selected_aws_credentials():
File "/usr/local/lib/python3.9/site-packages/gimme_aws_creds/main.py", line 789, in iter_selected_aws_credentials
for role in self.aws_selected_roles:
File "/usr/local/lib/python3.9/site-packages/gimme_aws_creds/main.py", line 672, in aws_selected_roles
selected_roles = self._get_selected_roles(self.requested_roles, self.aws_roles)
File "/usr/local/lib/python3.9/site-packages/gimme_aws_creds/main.py", line 663, in aws_roles
self.saml_data['SAMLResponse'],
File "/usr/local/lib/python3.9/site-packages/gimme_aws_creds/main.py", line 654, in saml_data
self._cache['saml_data'] = saml_data = self.okta.get_saml_response(self.aws_app['links']['appLink'])
File "/usr/local/lib/python3.9/site-packages/gimme_aws_creds/okta.py", line 712, in get_saml_response
api_response = self.stepup_auth(url, state_token)
File "/usr/local/lib/python3.9/site-packages/gimme_aws_creds/okta.py", line 123, in stepup_auth
flow_state = self._next_login_step(
File "/usr/local/lib/python3.9/site-packages/gimme_aws_creds/okta.py", line 317, in _next_login_step
return self._login_input_mfa_challenge(state_token, login_data['_links']['next']['href'])
File "/usr/local/lib/python3.9/site-packages/gimme_aws_creds/okta.py", line 582, in _login_input_mfa_challenge
response.raise_for_status()
File "/usr/local/lib/python3.9/site-packages/requests/models.py", line 943, in raise_for_status
raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 400 Client Error: Bad Request for url: https://xxxx.okta.com/api/v1/authn/factors/xxxxxxxxxx/verify?rememberDevice=True```
I can't replicate this - there is no timeout for the push
factor and it works when I select token:software:totp( OKTA )
and enter the code generated by the Okta Verify app.
Expected Behavior
When prompting for MFA using Okta Verify, should have the option of either acknowledging the push notification on phone or entering the TOTP displayed in the application. The latter functionality is critical when the phone is not online.
Current Behavior
When MFA is Okta Verify, gimme-aws-creds wait for the push notification to be acknowledged or to time out.
Possible Solution
Could can for keypresses in non-blocking mode and if the user presses anything, prompt for MFA code and submit it.
Steps to Reproduce (for bugs)
Context
Unable to authenticate via g-a-c on plane
Your Environment