search

oktadev / okta-aws-cli-assume-role

Okta AWS CLI Assume Role Tool
Apache License 2.0
337 stars 177 forks source link

Support for MFA Yubico FIDO/U2F key #125

Open hao-public opened 6 years ago

hao-public commented 6 years ago

Will it be possible to support the Yubico FIDO/U2F key with MFA?

AlainODea commented 6 years ago

Yubikey MFA works already for a colleague of mine.

It doesn’t work with app-level MFA.

What are you seeing?

pc-fmarin commented 6 years ago

I'm getting the following error when authenticating with U2F and 1.0.2 version of okta-aws-cli-assume-role, it works with the browser

Multi-Factor authentication is required. Please select a factor to use.
Factors:
[ 1 ] : FIDO u2f
[ 2 ] : Okta Verify (Push)
[ 3 ] : Okta Verify (TOTP)
Selection: 1
Exception in thread "main" java.lang.RuntimeException: You do not have access to AWS through Okta. 
Please contact your administrator.
    at com.okta.tools.saml.OktaSaml.getSamlResponseForAws(OktaSaml.java:53)
    at com.okta.tools.saml.OktaSaml.getSamlResponse(OktaSaml.java:45)
    at com.okta.tools.OktaAwsCliAssumeRole.run(OktaAwsCliAssumeRole.java:88)
    at com.okta.tools.awscli.main(awscli.java:33)
AlainODea commented 6 years ago

@pc-fmarin do you have the AWS app assigned to you in Okta? Are you using app-level MFA?

pc-fmarin commented 6 years ago

Yes I have AWS app and no it's not app level, it's one MFA for all of Okta and the apps I've got assigned

AlainODea commented 6 years ago

@pc-fmarin this kind of failure indicates that Okta is not directly responding with a SAMLResponse.

OKTA_AWS_APP_URL must be the app embed URL. If visiting it while authenticated leads to a redirect this tool will not work.

Does OKTA_AWS_APP_URL work if you copy paste it into a web browser? Does the web browser use a proxy?

Have you tried OKTA_BROWSER_AUTH?

pc-fmarin commented 6 years ago

@AlainODea when I set that property it boots a desktop app to login which has the Security Key (U2F) is not supported on this browser. Select another factor or contact your admin for assistance. error. Also the following error immediately happens in the CLI

export OKTA_BROWSER_AUTH=true
~/.okta$ ./awscli ec2 describe-instances --query 'Reservations[*].Instances[*].[InstanceId,State.Name,State.Code]' --output table --max-items 1
Exception in thread "JavaFX Application Thread" java.lang.NullPointerException
    at com.okta.tools.authentication.BrowserAuthentication.getAwsStsSamlForm(BrowserAuthentication.java:95)
    at com.okta.tools.authentication.BrowserAuthentication.getSamlResponseForAws(BrowserAuthentication.java:89)
    at com.okta.tools.authentication.BrowserAuthentication.checkForAwsSamlSignon(BrowserAuthentication.java:82)
    at com.okta.tools.authentication.BrowserAuthentication.lambda$start$0(BrowserAuthentication.java:69)
    at com.sun.javafx.binding.ExpressionHelper$SingleChange.fireValueChangedEvent(ExpressionHelper.java:182)
    at com.sun.javafx.binding.ExpressionHelper.fireValueChangedEvent(ExpressionHelper.java:81)
    at javafx.beans.property.ReadOnlyObjectPropertyBase.fireValueChangedEvent(ReadOnlyObjectPropertyBase.java:74)
    at javafx.beans.property.ReadOnlyObjectWrapper.fireValueChangedEvent(ReadOnlyObjectWrapper.java:102)
    at javafx.beans.property.ObjectPropertyBase.markInvalid(ObjectPropertyBase.java:112)
    at javafx.beans.property.ObjectPropertyBase.set(ObjectPropertyBase.java:146)
    at javafx.scene.web.WebEngine$LoadWorker.updateState(WebEngine.java:1287)
    at javafx.scene.web.WebEngine$LoadWorker.dispatchLoadEvent(WebEngine.java:1401)
    at javafx.scene.web.WebEngine$LoadWorker.access$1200(WebEngine.java:1280)
    at javafx.scene.web.WebEngine$PageLoadListener.dispatchLoadEvent(WebEngine.java:1267)
    at com.sun.webkit.WebPage.fireLoadEvent(WebPage.java:2516)
    at com.sun.webkit.WebPage.fwkFireLoadEvent(WebPage.java:2360)
    at com.sun.webkit.network.URLLoader.twkDidFinishLoading(Native Method)
    at com.sun.webkit.network.URLLoader.notifyDidFinishLoading(URLLoader.java:871)
    at com.sun.webkit.network.URLLoader.lambda$didFinishLoading$103(URLLoader.java:862)
    at com.sun.javafx.application.PlatformImpl.lambda$null$172(PlatformImpl.java:295)
    at java.security.AccessController.doPrivileged(Native Method)
    at com.sun.javafx.application.PlatformImpl.lambda$runLater$173(PlatformImpl.java:294)
    at com.sun.glass.ui.InvokeLaterDispatcher$Future.run(InvokeLaterDispatcher.java:95)

is it possible to boot the browser experience (assuming it's working) after choosing authentication in the cli ?

~/.okta$ ./awscli ec2 describe-instances --query 'Reservations[*].Instances[*].[InstanceId,State.Name,State.Code]' --output table --max-items 1
Username: frank.thomas@foobar.com
Password:

Multi-Factor authentication is required. Please select a factor to use.
Factors:
[ 1 ] : FIDO u2f
[ 2 ] : Okta Verify (Push)
[ 3 ] : Okta Verify (TOTP)
Selection: 1
Exception in thread "main" java.lang.RuntimeException: You do not have access to AWS through Okta.
Please contact your administrator.
    at com.okta.tools.saml.OktaSaml.getSamlResponseForAws(OktaSaml.java:53)
    at com.okta.tools.saml.OktaSaml.getSamlResponse(OktaSaml.java:45)
    at com.okta.tools.OktaAwsCliAssumeRole.run(OktaAwsCliAssumeRole.java:88)
AlainODea commented 6 years ago

@pc-fmarin interesting. It looks like my colleague was using a Yubikey in a token mode rather than FIDO U2F mode.

FIDO U2F will likely require an integration with a full browser like Firefox, Microsoft Edge, or Chrome. Okta's FIDO U2F verification flow requires calling a JavaScript API that the embedded WebKit in JavaFX WebView appears not to support: https://developer.okta.com/docs/api/resources/factors#verify-u2f-factor

Caveat: I'm not an Okta employee. I get no compensation for investigating or fixing these issues. I'm quite busy with other projects, so someone else will need to step in.

smiller171 commented 5 years ago

It's possible to handle U2F on the CLI, but dumping to a browser is probably easier.