search

Nike-Inc / gimme-aws-creds

A CLI that utilizes Okta IdP via SAML to acquire temporary AWS credentials
Apache License 2.0
925 stars 263 forks source link

No way to use Okta Verify TOTP in lieu of push notification #338

Closed mjreed-wbd closed 1 year ago

mjreed-wbd commented 2 years ago

Expected Behavior

When prompting for MFA using Okta Verify, should have the option of either acknowledging the push notification on phone or entering the TOTP displayed in the application. The latter functionality is critical when the phone is not online.

Current Behavior

When MFA is Okta Verify, gimme-aws-creds wait for the push notification to be acknowledged or to time out.

Possible Solution

Could can for keypresses in non-blocking mode and if the user presses anything, prompt for MFA code and submit it.

Steps to Reproduce (for bugs)

  1. set MFA to Okta Verify
  2. put phone in Airplane mode
  3. attempt to log in with gimme-aws-creds

Context

Unable to authenticate via g-a-c on plane

Your Environment

jonotto commented 2 years ago

When attempting to test this in a simulated offline mode (i.e., enabled 'Airplane Mode' on iPhone), I am prompted with the below trace (URL obfuscated). This is after a timeout period of the initial would-be push notification. If using a TOTP-only Okta token (i.e., registering without using the QR code, so no push enabled), gimme-aws-creds works just fine.

In the below example, the Okta Verify TOTP code was entered at the prompt following the initial timeout period. I then waited for it to change and typed the 2nd TOTP code. (NOTE: The same behavior is observed when simply retyping the same TOTP code twice, as well.)


Using password from keyring for xxxxx.xxxx@xxxxx.com
Enter verification code:
Enter verification code:

Traceback (most recent call last):
  File "/usr/local/bin/gimme-aws-creds", line 17, in <module>
    GimmeAWSCreds().run()
  File "/usr/local/lib/python3.9/site-packages/gimme_aws_creds/main.py", line 469, in run
    self._run()
  File "/usr/local/lib/python3.9/site-packages/gimme_aws_creds/main.py", line 818, in _run
    for data in self.iter_selected_aws_credentials():
  File "/usr/local/lib/python3.9/site-packages/gimme_aws_creds/main.py", line 789, in iter_selected_aws_credentials
    for role in self.aws_selected_roles:
  File "/usr/local/lib/python3.9/site-packages/gimme_aws_creds/main.py", line 672, in aws_selected_roles
    selected_roles = self._get_selected_roles(self.requested_roles, self.aws_roles)
  File "/usr/local/lib/python3.9/site-packages/gimme_aws_creds/main.py", line 663, in aws_roles
    self.saml_data['SAMLResponse'],
  File "/usr/local/lib/python3.9/site-packages/gimme_aws_creds/main.py", line 654, in saml_data
    self._cache['saml_data'] = saml_data = self.okta.get_saml_response(self.aws_app['links']['appLink'])
  File "/usr/local/lib/python3.9/site-packages/gimme_aws_creds/okta.py", line 712, in get_saml_response
    api_response = self.stepup_auth(url, state_token)
  File "/usr/local/lib/python3.9/site-packages/gimme_aws_creds/okta.py", line 123, in stepup_auth
    flow_state = self._next_login_step(
  File "/usr/local/lib/python3.9/site-packages/gimme_aws_creds/okta.py", line 317, in _next_login_step
    return self._login_input_mfa_challenge(state_token, login_data['_links']['next']['href'])
  File "/usr/local/lib/python3.9/site-packages/gimme_aws_creds/okta.py", line 582, in _login_input_mfa_challenge
    response.raise_for_status()
  File "/usr/local/lib/python3.9/site-packages/requests/models.py", line 943, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 400 Client Error: Bad Request for url: https://xxxx.okta.com/api/v1/authn/factors/xxxxxxxxxx/verify?rememberDevice=True```
epierce commented 1 year ago

I can't replicate this - there is no timeout for the push factor and it works when I select token:software:totp( OKTA ) and enter the code generated by the Okta Verify app.