Exception when encountering step-up auth with Duo Universal Prompt

[aogail]

Expected Behavior

Authentication succeeds when Okta Classic requires step-up and Duo Universal Prompt is used

Current Behavior

If Okta Classic decides to require step-up auth and Duo Universal Prompt is in use, the step-up handling code emits this exception, because the data structure returned by Duo Universal Prompt code is different than expected:

(venv) bjansen~/Development/gimme-aws-creds (master*) $ ./bin/gimme-aws-creds                   
Using password from keyring for xxx@yyy.com
Okta Password for xxx@yyy.com: 
Do you want to save this password in the keyring? (y/N) n
Multi-factor Authentication required.
claims_provider: Duo Universal Prompt selected
Duo Universal: Using Duo Push...
Multi-factor Authentication required.
claims_provider: Duo Universal Prompt selected
Duo Universal: Using Duo Push...
Traceback (most recent call last):
  File "/Users/bjansen/Development/gimme-aws-creds/./bin/gimme-aws-creds", line 17, in <module>
    GimmeAWSCreds().run()
  File "/Users/bjansen/Development/gimme-aws-creds/gimme_aws_creds/main.py", line 451, in run
    self._run()
  File "/Users/bjansen/Development/gimme-aws-creds/gimme_aws_creds/main.py", line 870, in _run
    for data in self.iter_selected_aws_credentials():
  File "/Users/bjansen/Development/gimme-aws-creds/gimme_aws_creds/main.py", line 839, in iter_selected_aws_credentials
    aws_results = executor.map(generate_credentials_prepare_data, self.aws_selected_roles)
                                                                  ^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/bjansen/Development/gimme-aws-creds/gimme_aws_creds/main.py", line 721, in aws_selected_roles
    selected_roles = self._get_selected_roles(self.requested_roles, self.aws_roles)
                                                                    ^^^^^^^^^^^^^^
  File "/Users/bjansen/Development/gimme-aws-creds/gimme_aws_creds/main.py", line 712, in aws_roles
    self.saml_data['SAMLResponse'],
    ^^^^^^^^^^^^^^
  File "/Users/bjansen/Development/gimme-aws-creds/gimme_aws_creds/main.py", line 703, in saml_data
    self._cache['saml_data'] = saml_data = self.okta.get_saml_response(self.aws_app['links']['appLink'], self.auth_session)
                                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/bjansen/Development/gimme-aws-creds/gimme_aws_creds/okta_classic.py", line 770, in get_saml_response
    saml_request_url = url + '?stateToken=' + api_response['_links']['next']['href']
                                              ~~~~~~~~~~~~^^^^^^^^^^
KeyError: '_links'

Possible Solution

448

Steps to Reproduce (for bugs)

1. Have Duo Universal Prompt enabled in your Okta tenant
2. Authenticate with Duo Universal Prompt as your MFA type
3. Okta may or may not decide to require step-up. If step-up is required, this bug is triggered.

Your Environment

• App Version used: revision 15f8420684b3acf174c993e6bf84770192a2d220
• Environment name and version: Python 3.11.7
• Operating System and version: Mac OS 14.3

[epierce]

Is your Okta domain using OIE or Okta Classic? If it's using OIE, this is the expected behavior because the stateToken parameter has been removed in OIE.

[aogail]

We're still on Classic -- sorry, I should have specified that.

[epierce]

This will be released in 2.8.1