search

okta / okta-sdk-golang

A Golang SDK for interacting with the Okta management API, enabling server-side code to manage Okta users, groups, applications, and more.
https://github.com/okta/okta-sdk-golang
Other
174 stars 143 forks source link

Issue with private key authentication when key is generated from the Okta admin portal #351

Closed burimbd closed 5 months ago

burimbd commented 1 year ago

Describe the bug?

When I generate a public/private key pair in the application page on the okta admin portal, the pem version of the generated Key is as follows: -----BEGIN PRIVATE KEY----- redacted -----END PRIVATE KEY----- However, the sdk expects the private key to be of the following format: -----BEGIN RSA PRIVATE KEY----- redacted -----END RSA PRIVATE KEY----- This means that I cannot use a private key as generated from the portal. Given that the key is generated from okta and the sdk is built by okta, it would be nice if things worked together.

Not sure where the change should be made.

What is expected to happen?

I expected to be able to use the keys as generated from the Okta admin portal.

What is the actual behavior?

keys generated from the okta admin portal fail with the error: RSA private key is of the wrong type

Reproduction Steps?

  1. Generate key for application for Okta admin portal.
  2. use the key with SDK and will get RSA private key is of the wrong type

Additional Information?

No response

Golang Version

go version go1.19.3 linux/amd64

SDK Version

github.com/okta/okta-sdk-golang/v2 v2.14.0

OS version

PRETTY_NAME="Debian GNU/Linux 11 (bullseye)" NAME="Debian GNU/Linux" VERSION_ID="11" VERSION="11 (bullseye)" VERSION_CODENAME=bullseye ID=debian HOME_URL="https://www.debian.org/" SUPPORT_URL="https://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/"

github-actions[bot] commented 1 year ago

This issue has been marked stale because there has been no activity within the last 14 days. To keep this issue active, remove the stale label.

tl24 commented 1 year ago

I just experienced this as well. Is there some instructions on how to use client application for authentication with the okta provider?

burimbd commented 1 year ago

@tl24 as a workaround you can convert the pem private key you get from the Okta Admin dashboard to rsa format using openssl as follows:

openssl rsa -in <oktaDashboardPrivateKey.pem> -out <rsaKey.pem>

Change the file names to match yours. Hope this helps.

tl24 commented 1 year ago

@burimbd Thanks! Exactly what I was looking for. Tried changing the text in the section headers, but no luck there.

github-actions[bot] commented 1 year ago

This issue has been marked stale because there has been no activity within the last 14 days. To keep this issue active, remove the stale label.

github-actions[bot] commented 1 year ago

This issue has been marked stale because there has been no activity within the last 14 days. To keep this issue active, remove the stale label.

monde commented 1 year ago

@burimbd here is some information that you'll find useful about private key formats that we are working on for the terraform provider:

Check that the generated private key is in PKCS#1 encoding, the format required by the Okta Terraform provider. In that format, the file containing the private key begins with `-----BEGIN RSA PRIVATE KEY-----`. You can convert the key to the correct format using the OpenSSL command line program:

In a terminal, navigate to the file path where you saved the original private key. 
Run the following command:
`openssl rsa -in {ORIGINAL_PRIVATE_KEY} -out {CONVERTED_PRIVATE_KEY}`

*ORIGINAL_PRIVATE_KEY*: The file containing the key generated earlier. 
*CONVERTED_PRIVATE_KEY*: The file containing the converted key.

Note: The file containing the converted private key must begin with “-----BEGIN RSA PRIVATE KEY-----”. If not, try step two again.
monde commented 1 year ago

Re-opned this. The okta-sdk-golang client should be smarter and try to interchange pkcs1 and pkcs8 formats imo: https://github.com/okta/okta-sdk-golang/blob/b145286aeae96f4e5173640a537769ded8342cc0/okta/requestExecutor.go#L237-L259 This keeps coming up in our Terraform discussions. cc: @duytiennguyen-okta @jefftaylor-okta

github-actions[bot] commented 1 year ago

This issue has been marked stale because there has been no activity within the last 14 days. To keep this issue active, remove the stale label.

wcarson commented 1 year ago

Please keep this issue open. This is causing a lot of confusion with our developers as the expectation is Okta-generated keys should work as-is with Okta SDKs without a manual openssl conversion step.

Static-Flow commented 6 months ago

+1 This is really surprising that Okta's own SDK can't handle the keys generated by their own admin portal.

Also, not sure what this PR is #407 since it's some template file but it seems to contain code for handling non-rsa keys.

duytiennguyen-okta commented 5 months ago

Close this as it is fixed in the newer version of the SDK