search

mbegan / Okta-PSModule

Okta API Powershell Wrapper Module
Other
102 stars 31 forks source link

Assistance with Validating Factors #22

Open terabyte12 opened 5 years ago

terabyte12 commented 5 years ago

I am attempting to validate a users factor on demand. In lieu of writing a SAML APP I figured I could use this!

I am able to successfully get an Okta Verify Push to go out with the following:

oktaVerifyOTPbyUser -uid $user_id-fid $factor_id

If I manually use the results _links.poll.href URL in a browser where I am already logged into Okta I can track the success/reject of the Okta Verify Push Request. I cannot however figure out how I would do this in powershell as the results need to be viewed as an authorized user.

Any chance it is possible to use the API Token that this Module is already using to update the factorResult?

Thanks!

mbegan commented 5 years ago

Can you describe your end goal for me?

if you compare how an enforcing MFA would look in a SAML or OIDC flow versus how it might behave using the APIs they are drastically different.

there is a cmdlet in the module that you can use to send a push notice, that cmdlet checks the status of the push notification on its own (see long output below)


PS /Users/mattegan> oktaVerifyPushbyUser -username matt.egan -oOrg matt -Verbose                                                                                                               
VERBOSE: GET https://mattegantest.oktapreview.com/api/v1/users/matt.egan with 0-byte payload
VERBOSE: received -byte response of content type application/json
VERBOSE: Req-Hdr: Accept-Encoding -> deflate,gzip                                                                                                                                              VERBOSE: Req-Hdr: Accept-Charset -> ISO-8859-1,utf-8                                                                                                                                           VERBOSE: Req-Hdr: Accept-Language -> en-US                                                                                                                                                     VERBOSE: Req-Hdr: Authorization -> SSWS xXxXxXxxXxxXxXxXxxXx                                                                                                                                   
VERBOSE: Req-Hdr: Content-Type -> application/json
VERBOSE: Req-Hdr: User-Agent -> Okta-PSModule/2.4 (6.0.2) (Unix) (Darwin 17.5.0 Darwin Kernel Version 17.5.0: Fri Apr 13 19:32:32 PDT 2018; root:xnu-4570.51.2~1/RELEASE_X86_64)
VERBOSE: Res-Hdr: Date -> Wed, 01 Aug 2018 21:37:47 GMT
VERBOSE: Res-Hdr: X-Okta-Request-Id -> W2IoK1qZpFnKCGfjChJO6gAAB5Q
VERBOSE: Res-Hdr: X-Rate-Limit-Limit -> 2000
VERBOSE: Res-Hdr: X-Rate-Limit-Remaining -> 1999
VERBOSE: Res-Hdr: X-Rate-Limit-Reset -> 1533159527
VERBOSE: Res-Hdr: Content-Type -> application/json; charset=UTF-8
VERBOSE: Okta Request ID: W2IoK1qZpFnKCGfjChJO6gAAB5Q
VERBOSE: There was content retured, convert from json string
VERBOSE: You have 1999 out of 2000 aka: 99.950% left in the tank
VERBOSE: This Page returned: 1, we've seen: 1 results so far
VERBOSE: We see no or an invalid next link of: False
VERBOSE: GET https://mattegantest.oktapreview.com/api/v1/users/00uabxx4hlwm47RSV0h7/factors with 0-byte payload
VERBOSE: received -byte response of content type application/json
VERBOSE: Req-Hdr: Accept-Encoding -> deflate,gzip                                                                                                                                              VERBOSE: Req-Hdr: Accept-Charset -> ISO-8859-1,utf-8                                                                                                                                           VERBOSE: Req-Hdr: Accept-Language -> en-US                                                                                                                                                     VERBOSE: Req-Hdr: Authorization -> SSWS xXxXxXxxXxxXxXxXxxXx                                                                                                                                   
VERBOSE: Req-Hdr: Content-Type -> application/json
VERBOSE: Req-Hdr: User-Agent -> Okta-PSModule/2.4 (6.0.2) (Unix) (Darwin 17.5.0 Darwin Kernel Version 17.5.0: Fri Apr 13 19:32:32 PDT 2018; root:xnu-4570.51.2~1/RELEASE_X86_64)
VERBOSE: Res-Hdr: Date -> Wed, 01 Aug 2018 21:37:48 GMT
VERBOSE: Res-Hdr: X-Okta-Request-Id -> W2IoLFqZpFnKCGfjChJO8QAAB8c
VERBOSE: Res-Hdr: X-Rate-Limit-Limit -> 600
VERBOSE: Res-Hdr: X-Rate-Limit-Remaining -> 597
VERBOSE: Res-Hdr: X-Rate-Limit-Reset -> 1533159484
VERBOSE: Res-Hdr: Content-Type -> application/json; charset=UTF-8
VERBOSE: Okta Request ID: W2IoLFqZpFnKCGfjChJO8QAAB8c
VERBOSE: There was content retured, convert from json string
VERBOSE: You have 597 out of 600 aka: 99.500% left in the tank
VERBOSE: This Page returned: 6, we've seen: 6 results so far
VERBOSE: We see no or an invalid next link of: False
VERBOSE: Found push factor ostewfh3ixGNGYLIQ0h7 sending push
VERBOSE: {}
VERBOSE: POST https://mattegantest.oktapreview.com/api/v1/users/00uabxx4hlwm47RSV0h7/factors/opfewfdhfj8fJZ9rz0h7/verify with 2-byte payload
VERBOSE: received -byte response of content type application/json
VERBOSE: Req-Hdr: Authorization -> SSWS xXxXxXxxXxxXxXxXxxXx                                                                                                                                   VERBOSE: Req-Hdr: UserAgent ->                                                                                                                                                                 VERBOSE: Req-Hdr: Accept-Language -> en-US                                                                                                                                                     VERBOSE: Req-Hdr: Accept-Encoding -> deflate,gzip                                                                                                                                              
VERBOSE: Req-Hdr: Accept-Charset -> ISO-8859-1,utf-8
VERBOSE: Req-Hdr: X-Forwarded-For -> 
VERBOSE: Req-Hdr: Content-Type -> application/json
VERBOSE: Req-Hdr: User-Agent -> Okta-PSModule/2.4 (6.0.2) (Unix) (Darwin 17.5.0 Darwin Kernel Version 17.5.0: Fri Apr 13 19:32:32 PDT 2018; root:xnu-4570.51.2~1/RELEASE_X86_64)
VERBOSE: Res-Hdr: Date -> Wed, 01 Aug 2018 21:37:48 GMT
VERBOSE: Res-Hdr: X-Okta-Request-Id -> W2IoLFqZpFnKCGfjChJO8wAAB50
VERBOSE: Res-Hdr: X-Rate-Limit-Limit -> 600
VERBOSE: Res-Hdr: X-Rate-Limit-Remaining -> 596
VERBOSE: Res-Hdr: X-Rate-Limit-Reset -> 1533159484
VERBOSE: Res-Hdr: Content-Type -> application/json; charset=UTF-8
VERBOSE: Okta Request ID: W2IoLFqZpFnKCGfjChJO8wAAB50
VERBOSE: There was content retured, convert from json string
VERBOSE: You have 596 out of 600 aka: 99.333% left in the tank
VERBOSE: This Page returned: 1, we've seen: 1 results so far
VERBOSE: We see no or an invalid next link of: False
VERBOSE: Push transaction triggered, pulling for status @ :https://mattegantest.oktapreview.com/api/v1/users/00uabxx4hlwm47RSV0h7/factors/opfewfdhfj8fJZ9rz0h7/transactions/v2mst.xolQVDDJSAuo4WxFiJEuqg
VERBOSE: Adaptive sleeping for: 1 Seconds
VERBOSE: GET https://mattegantest.oktapreview.com/api/v1/users/00uabxx4hlwm47RSV0h7/factors/opfewfdhfj8fJZ9rz0h7/transactions/v2mst.xolQVDDJSAuo4WxFiJEuqg with 0-byte payload
VERBOSE: received -byte response of content type application/json
VERBOSE: Req-Hdr: Accept-Encoding -> deflate,gzip                                                                                                                                              VERBOSE: Req-Hdr: Accept-Charset -> ISO-8859-1,utf-8                                                                                                                                           VERBOSE: Req-Hdr: Accept-Language -> en-US                                                                                                                                                     VERBOSE: Req-Hdr: Authorization -> SSWS xXxXxXxxXxxXxXxXxxXx                                                                                                                                   
VERBOSE: Req-Hdr: Content-Type -> application/json
VERBOSE: Req-Hdr: User-Agent -> Okta-PSModule/2.4 (6.0.2) (Unix) (Darwin 17.5.0 Darwin Kernel Version 17.5.0: Fri Apr 13 19:32:32 PDT 2018; root:xnu-4570.51.2~1/RELEASE_X86_64)
VERBOSE: Res-Hdr: Date -> Wed, 01 Aug 2018 21:37:49 GMT
VERBOSE: Res-Hdr: X-Okta-Request-Id -> W2IoLVqZpFnKCGfjChJPFQAAB4o
VERBOSE: Res-Hdr: X-Rate-Limit-Limit -> 600
VERBOSE: Res-Hdr: X-Rate-Limit-Remaining -> 595
VERBOSE: Res-Hdr: X-Rate-Limit-Reset -> 1533159484
VERBOSE: Res-Hdr: Content-Type -> application/json; charset=UTF-8
VERBOSE: Okta Request ID: W2IoLVqZpFnKCGfjChJPFQAAB4o
VERBOSE: There was content retured, convert from json string
VERBOSE: You have 595 out of 600 aka: 99.167% left in the tank
VERBOSE: This Page returned: 1, we've seen: 1 results so far
VERBOSE: We see no or an invalid next link of: False
VERBOSE: WAITING
VERBOSE: Adaptive sleeping for: 2 Seconds
VERBOSE: GET https://mattegantest.oktapreview.com/api/v1/users/00uabxx4hlwm47RSV0h7/factors/opfewfdhfj8fJZ9rz0h7/transactions/v2mst.xolQVDDJSAuo4WxFiJEuqg with 0-byte payload
VERBOSE: received -byte response of content type application/json
VERBOSE: Req-Hdr: Accept-Encoding -> deflate,gzip                                                                                                                                              VERBOSE: Req-Hdr: Accept-Charset -> ISO-8859-1,utf-8                                                                                                                                           VERBOSE: Req-Hdr: Accept-Language -> en-US                                                                                                                                                     VERBOSE: Req-Hdr: Authorization -> SSWS xXxXxXxxXxxXxXxXxxXx                                                                                                                                   
VERBOSE: Req-Hdr: Content-Type -> application/json
VERBOSE: Req-Hdr: User-Agent -> Okta-PSModule/2.4 (6.0.2) (Unix) (Darwin 17.5.0 Darwin Kernel Version 17.5.0: Fri Apr 13 19:32:32 PDT 2018; root:xnu-4570.51.2~1/RELEASE_X86_64)
VERBOSE: Res-Hdr: Date -> Wed, 01 Aug 2018 21:37:52 GMT
VERBOSE: Res-Hdr: X-Okta-Request-Id -> W2IoMFqZpFnKCGfjChJPMQAAB84
VERBOSE: Res-Hdr: X-Rate-Limit-Limit -> 600
VERBOSE: Res-Hdr: X-Rate-Limit-Remaining -> 594
VERBOSE: Res-Hdr: X-Rate-Limit-Reset -> 1533159484
VERBOSE: Res-Hdr: Content-Type -> application/json; charset=UTF-8
VERBOSE: Okta Request ID: W2IoMFqZpFnKCGfjChJPMQAAB84
VERBOSE: There was content retured, convert from json string
VERBOSE: You have 594 out of 600 aka: 99.000% left in the tank
VERBOSE: This Page returned: 1, we've seen: 1 results so far
VERBOSE: We see no or an invalid next link of: False
VERBOSE: WAITING
VERBOSE: Adaptive sleeping for: 3 Seconds
VERBOSE: GET https://mattegantest.oktapreview.com/api/v1/users/00uabxx4hlwm47RSV0h7/factors/opfewfdhfj8fJZ9rz0h7/transactions/v2mst.xolQVDDJSAuo4WxFiJEuqg with 0-byte payload
VERBOSE: received -byte response of content type application/json
VERBOSE: Req-Hdr: Accept-Encoding -> deflate,gzip                                                                                                                                              VERBOSE: Req-Hdr: Accept-Charset -> ISO-8859-1,utf-8                                                                                                                                           VERBOSE: Req-Hdr: Accept-Language -> en-US                                                                                                                                                     VERBOSE: Req-Hdr: Authorization -> SSWS xXxXxXxxXxxXxXxXxxXx                                                                                                                                   
VERBOSE: Req-Hdr: Content-Type -> application/json
VERBOSE: Req-Hdr: User-Agent -> Okta-PSModule/2.4 (6.0.2) (Unix) (Darwin 17.5.0 Darwin Kernel Version 17.5.0: Fri Apr 13 19:32:32 PDT 2018; root:xnu-4570.51.2~1/RELEASE_X86_64)
VERBOSE: Res-Hdr: Date -> Wed, 01 Aug 2018 21:37:55 GMT
VERBOSE: Res-Hdr: X-Okta-Request-Id -> W2IoM1qZpFnKCGfjChJPZQAAB14
VERBOSE: Res-Hdr: X-Rate-Limit-Limit -> 600
VERBOSE: Res-Hdr: X-Rate-Limit-Remaining -> 593
VERBOSE: Res-Hdr: X-Rate-Limit-Reset -> 1533159484
VERBOSE: Res-Hdr: Content-Type -> application/json; charset=UTF-8
VERBOSE: Okta Request ID: W2IoM1qZpFnKCGfjChJPZQAAB14
VERBOSE: There was content retured, convert from json string
VERBOSE: You have 593 out of 600 aka: 98.833% left in the tank
VERBOSE: This Page returned: 1, we've seen: 1 results so far
VERBOSE: We see no or an invalid next link of: False
VERBOSE: WAITING
VERBOSE: Adaptive sleeping for: 4 Seconds
VERBOSE: GET https://mattegantest.oktapreview.com/api/v1/users/00uabxx4hlwm47RSV0h7/factors/opfewfdhfj8fJZ9rz0h7/transactions/v2mst.xolQVDDJSAuo4WxFiJEuqg with 0-byte payload
VERBOSE: received -byte response of content type application/json
VERBOSE: Req-Hdr: Accept-Encoding -> deflate,gzip                                                                                                                                              VERBOSE: Req-Hdr: Accept-Charset -> ISO-8859-1,utf-8                                                                                                                                           VERBOSE: Req-Hdr: Accept-Language -> en-US                                                                                                                                                     VERBOSE: Req-Hdr: Authorization -> SSWS xXxXxXxxXxxXxXxXxxXx                                                                                                                                   
VERBOSE: Req-Hdr: Content-Type -> application/json
VERBOSE: Req-Hdr: User-Agent -> Okta-PSModule/2.4 (6.0.2) (Unix) (Darwin 17.5.0 Darwin Kernel Version 17.5.0: Fri Apr 13 19:32:32 PDT 2018; root:xnu-4570.51.2~1/RELEASE_X86_64)
VERBOSE: Res-Hdr: Date -> Wed, 01 Aug 2018 21:37:59 GMT
VERBOSE: Res-Hdr: X-Okta-Request-Id -> W2IoN1qZpFnKCGfjChJP1AAAB10
VERBOSE: Res-Hdr: X-Rate-Limit-Limit -> 600
VERBOSE: Res-Hdr: X-Rate-Limit-Remaining -> 588
VERBOSE: Res-Hdr: X-Rate-Limit-Reset -> 1533159484
VERBOSE: Res-Hdr: Content-Type -> application/json; charset=UTF-8
VERBOSE: Okta Request ID: W2IoN1qZpFnKCGfjChJP1AAAB10
VERBOSE: There was content retured, convert from json string
VERBOSE: You have 588 out of 600 aka: 98.000% left in the tank
VERBOSE: This Page returned: 1, we've seen: 1 results so far
VERBOSE: We see no or an invalid next link of: False
VERBOSE: SUCCESS
terabyte12 commented 5 years ago

I am attempting to perform on demand token validation for an internal process.

I have tried the following.

$factor = oktaVerifyOTPbyUser -uid 00u246beds7Tu8Dxw1t7 -fid ost4pbbsl6hCjiv2v1t7 -otp 116991

This results in $factor.factorResults = SUCCESS if it works. However if the OTP is invalid I get the below error and cannot use $factor.factorResults

WARNING: Unable to find type [Microsoft.PowerShell.Commands.HttpResponseException].
WARNING: Encountered error, returning limited or empty set

When using the oktaVerifyPushbyUser Cmdlet the final status is only returned as a verbose status so again there is no $factor.factorResults available.

I am using the following to poll the results in my own loop which has its own problems. $result = oktaFetch_link -_link $factor._links.poll.href

mbegan commented 5 years ago

hrm... clearly some POC quality code I put up there.

I just pushed an update that preserves/returns the push status when using the oktaVerifyPushbyUser cmdlet

The way oktaVerifyOTPbyUser behaves will remain for now, the Okta application servers return a 403 forbidden which is deeply programmed in my module to throw in way too many places, i need to resolve that, if you want you can start replacing throws with write-error, i need to do more testing before i commit it.

terabyte12 commented 5 years ago

Thank you! I'll look forward to a future update for the VerifyOTP.

terabyte12 commented 5 years ago

Now that oktaVerifyPushbyUser is returning an object with factorResult can the verbose output be suppressed unless the -verbose option is specified?

Thanks!

mbegan commented 5 years ago

it should be silent if $oktaVerbose is $false, i'll change the write-host at line 3213 to be a write-verbose.