Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

auth/okta: Add support for Okta number challenge #15361

Merged
merged 9 commits into from
May 12, 2022
Merged

auth/okta: Add support for Okta number challenge #15361

merged 9 commits into from
May 12, 2022

Conversation

calvn
Copy link
Contributor

@calvn calvn commented May 10, 2022
edited
Loading

This PR adds the ability for the Okta Auth Method to perform the 3-number verification challenge if that's enabled on an Okta Organization.

The login flow is as follows, which happens within a single Vault login CLI command:

  1. Perform a Vault login using Okta credentials
$ vault login -method=okta [email protected]
Password (will be hidden):
...
  1. Receive and confirm MFA prompt

  1. Receive a number challenge in the CLI
...
In Okta Verify, tap the number '32'
...
  1. Validate number on the user's device

  1. Sucessful login
...
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                    Value
---                    -----
token                  hvs.CAESIF6yzMNIoAiH6WqTvZ9W_bhI-ux6qsLLBHfKoBCZegnKGh4KHGh2cy4wZVVQTmdnbDUxbUVzTGRTN25MNzlPS3k
token_accessor         GrGamdHye5dZKRr092bydAfO
token_duration         768h
token_renewable        true
token_policies         ["default" "foo"]
identity_policies      []
policies               ["default" "foo"]
token_meta_policies    default,foo
token_meta_username    [email protected]

@calvn calvn added this to the 1.11.0-rc1 milestone May 10, 2022
@calvn calvn requested a review from a team May 10, 2022 23:24
swenson
swenson reviewed May 11, 2022
View reviewed changes
builtin/credential/okta/cli.go Outdated Show resolved Hide resolved
builtin/credential/okta/cli.go Show resolved Hide resolved
austingebauer
austingebauer reviewed May 11, 2022
View reviewed changes
Copy link
Contributor

@austingebauer austingebauer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a couple of comments. Looks good to me otherwise 👍

builtin/credential/okta/path_login.go Outdated Show resolved Hide resolved
changelog/15361.txt Show resolved Hide resolved
builtin/credential/okta/path_login.go Outdated Show resolved Hide resolved
austingebauer
austingebauer approved these changes May 11, 2022
View reviewed changes
Copy link
Contributor

@austingebauer austingebauer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@calvn calvn requested a review from taoism4504 as a code owner May 11, 2022 23:12
calvn
calvn commented May 11, 2022
View reviewed changes
builtin/credential/okta/backend.go
@@ -246,7 +268,7 @@ func (b *backend) Login(ctx context.Context, req *logical.Request, username, pas
}

select {
case <-time.After(500 * time.Millisecond):
case <-time.After(1 * time.Second):
Copy link
Contributor Author

@calvn calvn May 11, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Taking the opportunity in this PR to change the polling frequency from 500ms to 1s. The rationale behind this change is that Okta dev accounts has a rate limit of 100req/min on authn/ endpoints (non-dev accounts do have higher limits), and at this frequency calls made by a vault login will trigger a warning and eventually lead to rate limit exceeded errors. By lowering this to a max of 60req/min we avoid hitting this rate limit and getting into flaky testing scenarios. The bump should not be that noticeable since this is a purely human-based flow.

Login MFA uses a 1s polling frequency, so it should be acceptable for us here as well:

vault/vault/login_mfa.go

Line 1928 in a2fc885

case <-time.After(time.Second):

swenson
swenson approved these changes May 11, 2022
View reviewed changes
Copy link
Contributor

@swenson swenson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@calvn calvn merged commit a970427 into main May 12, 2022
@calvn calvn deleted the okta-number-challenge branch May 12, 2022 00:09
@adrian-mi-romero
Copy link

@calvn how can I know if you fixed that was merged to main was in deed included in a vault release version? thanks in advance.

@tvoran
Copy link
Member

tvoran commented Feb 23, 2023

Hi @adrian-mi-romero, if you click on the commit sha from the "calvn merged commit" message above, and then expand the tags, it'll show which releases included this patch. Example screenshot:

Screenshot 2023-02-23 at 9 20 36 AM

@adrian-mi-romero
Copy link

Thanks a lot @tvoran so it should be in v1.12.X ... wondering about it coz if you check the doc for v1.12.X it says your fix it is not supported/included.
https://developer.hashicorp.com/vault/docs/auth/login-mfa/faq#q-what-is-single-phase-mfa-vs-two-phase-mfa
image

@tvoran
Copy link
Member

tvoran commented Feb 23, 2023

@adrian-mi-romero Best to open another issue about that.

@adrian-mi-romero adrian-mi-romero mentioned this pull request Feb 24, 2023
Closed
@bobby-mack
Copy link

@calvn By chance did a recent update in 1.15.0 result in this feature breaking for Okta Verify Number Challenge? We're no longer presented with the corresponding matching number in the UI (previously working) as part of this PR.

@bobby-mack
Copy link

@calvn By chance did a recent update in 1.15.0 result in this feature breaking for Okta Verify Number Challenge? We're no longer presented with the corresponding matching number in the UI (previously working) as part of this PR.

I have since opened an issue for this, just an FYI: #23465

@austingebauer austingebauer mentioned this pull request Feb 21, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kalafut kalafut kalafut left review comments

@austingebauer austingebauer austingebauer approved these changes

@swenson swenson swenson approved these changes

@taoism4504 taoism4504 Awaiting requested review from taoism4504

Assignees
No one assigned
Labels
auth/okta ecosystem
Projects
None yet
Milestone
1.11.0-rc1
Development

Successfully merging this pull request may close these issues.
7 participants
@calvn @adrian-mi-romero @tvoran @bobby-mack @swenson @kalafut @austingebauer