This repository has been archived by the owner on May 18, 2021. It is now read-only.
feat: Persist device token cookie in keystore to prevent repeated MFA prompt #259
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Based on @Chippiewill PR segmentio#213 When using MFA, Okta expects the device token cookie `DT` in addition to the session ID cookie `sid`. If MFA is required in the Okta app and this cookie is not sent the session fails. This causes `aws-okta` to go through the entire authentication flow again, eliminating any benefits of session caching. This change persists the device token the same way as the session ID. I've kept the existing API identical, adding new function calls that take a OktaCookies struct.
Ask the server to remember MFA was entered. The Okta application decides how long. This prevents MFA from being requested on every request to Okta. Fix Issue segmentio#257.
|
@nickatsegment any feedback on this PR? |
nickatsegment
approved these changes
Dec 17, 2019
dkujawski
added a commit
to dkujawski/aws-okta
that referenced
this pull request
Jan 31, 2020
…ated MFA prompt (segmentio#259)" This reverts commit 18e92f7.
dkujawski
added a commit
to dkujawski/aws-okta
that referenced
this pull request
Feb 19, 2020
…ated MFA prompt (segmentio#259)" This reverts commit 18e92f7.
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overview
Based on @Chippiewill PR #213
When using MFA, Okta expects the device token cookie
DTin addition tothe session ID cookie
sid. If MFA is required in the Okta app and thiscookie is not sent the session fails. This causes
aws-oktato gothrough the entire authentication flow again, eliminating any benefits
of session caching.
This change persists the device token the same way as the session ID.
I've kept the existing API identical, adding new function calls that
take an OktaCookies struct.
Testing
Manual testing with Push notification and Okta AWS application setup to require MFA "Per Session" and "Once per Day".
With both patches in place, the Okta session is successfully reused, without MFA prompt, to create new AWS STS tokens when the previous STS token is expired.