search

Versent / saml2aws

CLI tool which enables you to login and retrieve AWS temporary credentials using a SAML IDP
https://github.com/Versent/saml2aws
MIT License
2.08k stars 562 forks source link

Show meaningful error, when mfa response does not contain session token #822

Closed krzysztofdrys closed 1 year ago

krzysztofdrys commented 2 years ago

Hello,

First of all, thanks for this great tool.

I would like to report an issue, which have happened to me today. I tried to login using saml2aws as usually. My session would look like this:

saml2aws login
Using IdP Account default to access Okta <redacted>
To use saved password just hit enter.
? Username <redacted>
? Password

Authenticating as <redacted> ...
? Select which MFA option to use TOTP MFA authentication
? Enter verification code 106105
Error authenticating to IdP.: unable to create an okta session, nil input

After some digging and rerunning with DUMP_CONTENT=true saml2aws login --force --verbose it turned out that my password in Okta has expired. The response I would receive from okta is at the end of this issue.

I propose that verifyMfa should check if the payload actually contains session token and return error if it does not.

I would like to work on this issue. I should be able to submit a PR shortly.

  "stateToken": "<redacted>",
  "expiresAt": "2022-05-16T11:05:48.000Z",
  "status": "PASSWORD_EXPIRED",
  "_embedded": {
    "user": {
      "id": "<redacted>",
      "profile": {
        "login": "<redacted>",
        "firstName": "Krysztof",
        "lastName": "Drys",
        "locale": "en_US",
        "timeZone": "America/Los_Angeles"
      }
    },
    "policy": {
      "complexity": {
        "minLength": 8,
        "minLowerCase": 1,
        "minUpperCase": 1,
        "minNumber": 1,
        "minSymbol": 0,
        "excludeUsername": true
      },
      "age": {
        "minAgeMinutes": 0,
        "historyCount": 0
      }
    }
  },
  "_links": {
    "next": {
      "name": "changePassword",
      "href": "<redacted>",
      "hints": {
        "allow": [
          "POST"
        ]
      }
    },
    "cancel": {
      "href": "<redacted>",
      "hints": {
        "allow": [
          "POST"
        ]
      }
    }
  }
}
krzysztofdrys commented 1 year ago

Friendly ping on this.

ulidtko commented 1 month ago

This is still not resolved on 2.36.17-SNAPSHOT-426bac6.

Getting "status":"PASSWORD_EXPIRED" — yet the error without DUMP_CONTENT=true and --verbose is:

Error authenticating to IdP.: unable to create an okta session, nil input