yubikey support?

[jlevon]

script is working great with MFA okta push - thanks!

I'd like to enable token:hardware support, but my random guesses on how are not working:

 69             if factor['factorType'] == 'token:hardware':                         
 70                 url = factor['_links']['verify']['href']                         
 71                 r = post_json(s, url, {'stateToken': r['stateToken']})           
 72                 assert r['status'] == 'MFA_CHALLENGE'                            
 73                 code = input('One-time code for {} ({}): '.format(factor['provider'], factor['vendorName']))
 74                 r = post_json(s, url, {'stateToken': r['stateToken']}, 'passCode': code})                        
 75                 break                                                            

Line 71 is failing against our gp instance with:

requests.exceptions.HTTPError: 403 Client Error: Forbidden for url: https://<redacted>.okta.com/api/v1/authn/factors/.../verify

As far as I can figure out from the okta docs, the above is more or less what I should be doing? Any clues?

[zdave]

No, sorry. It's odd that line 71 is failing given that the one-time code has not even been provided at this point. That error is what I would expect from line 74 if the one-time code is wrong.

Note that the existing re.match('token(?::|$)', factor['factorType']) case should pickup token:hardware, though it will just do what you have suggested.

FWIW when I add a YubiKey to Okta the new factor that appears in the API has type webauthn not token:hardware. Possibly this depends on how the YubiKey is setup or added.

[jlevon]

It's possible yubikey isn't enabled at this endpoint by the admin, I'm trying to check that. I didn't realise the existing case would catch it (push is higher priority for me, although actually I'd like to choose)

when I add a YubiKey to Okta the new factor that appears in the API has type webauthn not token:hardware.

I did check it's definitely token:hardware for this portal