search

Nike-Inc / gimme-aws-creds

A CLI that utilizes Okta IdP via SAML to acquire temporary AWS credentials
Apache License 2.0
925 stars 263 forks source link

Error: OAuth Client ID is required for Okta Identity Engine domains #402

Closed nsharma-fy closed 1 year ago

nsharma-fy commented 1 year ago

Getting below error with 2.6.x version, it used to work fine with 2.5.0 . We are using Okta-AWS Federation.

OAuth Client ID is required for Okta Identity Engine domains. Try running --config again.

Expected Behavior

$ gimme-aws-creds Okta Password for :

Current Behavior

$gimme-aws-creds OAuth Client ID is required for Okta Identity Engine domains. Try running --config again.

Possible Solution

Not a solution, but w/a is to use 2.5.0

Steps to Reproduce (for bugs)

  1. Just running 2.6.0 gimme-aws-creds

Context

No able to generate temporary AWS tokens

Your Environment

App Name : AWS Account Federation OS Versions: Ubuntu 20.04 and macOS 12.6.3

epierce commented 1 year ago

Has your Okta domain been upgraded to Okta Identity Engine?

nsharma-fy commented 1 year ago

Yes, looks like we have Okta Identity Engine domain, not a classical one. Not sure if this has been upgraded recently or not, as gimme-aws-creds 2.5.0 and older does not seem to have this check and still works fine.

lluczaj commented 1 year ago

We have exactly the same issue. Since today it seems that all gimme-aws-creds apps above 2.5.0 stopped working. We have Okta Identity Engine but Okta support claims that we had it from the beginning. Yet, something happened just recently :(

epierce commented 1 year ago

the sessionToken used with Okta Classic domains was removed from OIE, so I don't know how v2.5.0 worked with an OIE domain. What value are you using for gimme_creds_server in your config file? I'll try to replicate this in my test OIE domain

nsharma-fy commented 1 year ago

We are using gimme_creds_server = appurl

epierce commented 1 year ago

I just added a --force-classic parameter which will force the use of the old login process when connecting to an OIE domain. However, there is functionality that's been removed in OIE, so not everything works (there are some details in the README). Please install the version in the dev branch (pip3 install --upgrade https://github.com/Nike-Inc/gimme-aws-creds/archive/dev.zip) and let me know if it works for you.

nsharma-fy commented 1 year ago

I see the same issue with the version provided 

$ gimme-aws-creds --version
gimme-aws-creds 2.6.2
$ gimme-aws-creds
OAuth Client ID is required for Okta Identity Engine domains.  Try running --config again.

$ gimme-aws-creds --force-classic
OAuth Client ID is required for Okta Identity Engine domains.  Try running --config again.
ghost commented 1 year ago

I think it must just have been an oversight, the assignment of True to force_classic was commented out, so it just stayed False. After uncommenting it, it worked fine for me. Really minor fix!

epierce commented 1 year ago

Yes, @ryanashmore is correct. I was testing the force_classic option in the config file and forgot to re-enable the command line option. Please try out the latest version in the dev branch - gimme-aws-creds --force-classic should work for you now.

nsharma-fy commented 1 year ago

Reninstalled the dev version, but getting a different error now 

$ gimme-aws-creds  --force-classic
Okta Classic login flow enabled
Traceback (most recent call last):
  File "/usr/local/bin/gimme-aws-creds", line 17, in <module>
    GimmeAWSCreds().run()
  File "/usr/local/lib/python3.8/dist-packages/gimme_aws_creds/main.py", line 475, in run
    self._run()
  File "/usr/local/lib/python3.8/dist-packages/gimme_aws_creds/main.py", line 873, in _run
    for data in self.iter_selected_aws_credentials():
  File "/usr/local/lib/python3.8/dist-packages/gimme_aws_creds/main.py", line 842, in iter_selected_aws_credentials
    aws_results = executor.map(generate_credentials_prepare_data, self.aws_selected_roles)
  File "/usr/local/lib/python3.8/dist-packages/gimme_aws_creds/main.py", line 734, in aws_selected_roles
    selected_roles = self._get_selected_roles(self.requested_roles, self.aws_roles)
  File "/usr/local/lib/python3.8/dist-packages/gimme_aws_creds/main.py", line 725, in aws_roles
    self.saml_data['SAMLResponse'],
  File "/usr/local/lib/python3.8/dist-packages/gimme_aws_creds/main.py", line 716, in saml_data
    self._cache['saml_data'] = saml_data = self.okta.get_saml_response(self.aws_app['links']['appLink'], self.auth_session)
  File "/usr/local/lib/python3.8/dist-packages/gimme_aws_creds/main.py", line 588, in okta
    okta = self._cache['okta'] = OktaClassicClient(
  File "/usr/local/lib/python3.8/dist-packages/gimme_aws_creds/okta_classic.py", line 82, in __init__
    retries = Retry(total=5, backoff_factor=1,
TypeError: __init__() got an unexpected keyword argument 'allowed_methods'
epierce commented 1 year ago

If you do pip3 list, what version do you have for requests and urllib3? You should have urllib3>=1.26 and requests>=2.25

nsharma-fy commented 1 year ago

Thanks, it works now. A note, urllib3 version must be < 2, with higher versions below error is seen

ImportError: cannot import name 'DEFAULT_CIPHERS' from 'urllib3.util.ssl_' (/usr/local/lib/python3.8/dist-packages/urllib3/util/ssl_.py)

JoeLyga commented 1 year ago

Confirmed. I get the same issue with urllib3

LevitatingKraken commented 1 year ago

Hi with brew install gimme-aws-creds version 2.6.1 there is no option to "--force-classic" Also, will it allow to use touch id like in 2.5.0?

epierce commented 1 year ago

the version with --force-classic hasn't been released yet. You'll need to use the pip3 command I posted above to install the latest build from the dev branch

LevitatingKraken commented 1 year ago

My bad, it works perfectly with touch id, thanks!

zlata-shtamburg-cko commented 1 year ago

hi guys! Can you suggest me what to do in my situation? I'm facing the same issue. after running the command with '--force_classic' parameter, I've got an error: Step-up authetication is not supported when using the '--force_classic' parameter

is there is any workaround to fix it?

epierce commented 1 year ago

Step-up auth is triggered by the authentication policy that's been applied to your AWS app in Okta. If you have a Global Session Policy that requires MFA, the MFA factor you used to login meets the requirements of the app's authentication policy and the reauthentication frequency in the auth policy isn't set to "Every Sign-in Attempt", you can disable remember_device and clear out device_token in your config file and that should work.

Right now, the Device Authorization flow is the only way to authenticate to an OIE domain regardless of the Global Session Policy and Authentication Policy configurations.

epierce commented 1 year ago

--force-classic and the changes to the required Python libraries will be available in the next release

nandy6666 commented 3 months ago

Yes, @ryanashmore is correct. I was testing the force_classic option in the config file and forgot to re-enable the command line option. Please try out the latest version in the dev branch - gimme-aws-creds --force-classic should work for you now.

This Works in MacOS