MKokeshi
commented
3 months ago Problem:
Users may encounter the following error when retrieving session keys using KeyConjurer:
Error: failed to fetch SAML assertionThis error arises because:
- Okta might reject the token exchange request.
- The error is not properly handled, leading to an empty OAuth2 token being submitted, which then fails during the SAML assertion process.
Reproduction Steps:
- Log into KeyConjurer.
- Entitle the user to a new AWS application.
- Run
keyconjurer accounts. - Run
keyconjurer get [account name of new application].
Resolution:
-
Error Handling in Token Exchange Endpoint:
- Return an
ErrUnauthorizederror if a failure occurs during the token exchange process. - Treat any non-200 HTTP response code from Okta (e.g., HTTP 500, HTTP 403) as an authorization error.
- Return an
-
Implementation:
- Check the HTTP status code from Okta.
- If the status code is not 200, respond with an
ErrUnauthorizederror. - Ensure proper error handling to avoid empty OAuth2 tokens being used.
This approach ensures that users receive clear and actionable error messages when the token exchange fails.
Description
A user who attempts to retrieve session keys using
keyconjurer getmay receive the error:Reproduction steps
keyconjurer accounts.keyconjurer get [account name of new application].Okta may reject a request to exchange tokens using token exchange flow. If it does, the error is silently dropped, and the code continues, ultimately submitting an empty Oauth2 token to the SAML assertion endpoint, which results in the above error.
Resolution
Return an
ErrUnauthorizederror to the end-user if this occurs during the token exchange endpoint. It's not clear if the response code from Okta is HTTP 500, HTTP 403 or simply a non-200 HTTP response code; Standards indicate that the response code should be HTTP 400. We will simply treat any non-200 status code as an unauthorized error.