-
Notifications
You must be signed in to change notification settings - Fork 28
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Add support for step up authentication #140
feat: Add support for step up authentication #140
Conversation
When "Extra Verification" is required in authenticate_to_roles, make an additional request to '/api/v1/authn' using the current state token. Use '/login/sessionCookieRedirect' in authenticate_to_roles to ensure the the 'HTTP_client' cookies have the values needed for step up authentication and also the device token. Add optional support for device token across session so that step up authentication does not require multiple MFA requests. Add device token options to 'config.py'. Add getting and setting the device token to 'http_client.py'. Add storing the device token to the ini file to 'user.py'. Add the device token options to 'docs/README.md'.
cookies = requests.cookies.RequestsCookieJar() | ||
cookies.set("sid", sess_id, domain=urlparse(url).netloc, path="/") | ||
cookies.set("sid", sess_id, domain=domain, path="/") | ||
cookies.set("sessionToken", session_token, domain=domain, path="/") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ℹ️ This is necessary as the session token is needed for the later call to /login/sessionCookieRedirect
.
@@ -429,7 +458,7 @@ def extract_state_token(html): | |||
state_token = None | |||
pattern = re.compile(r"var stateToken = '(?P<stateToken>.*)';", re.MULTILINE) | |||
|
|||
script = soup.find("script", text=pattern) | |||
script = soup.find("script", string=pattern) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/Volumes/xxxxx/tokendito/tokendito/okta.py:461: DeprecationWarning: The 'text' argument to find()-type methods is deprecated. Use 'string' instead.
script = soup.find("script", text=pattern)
Before:
191 passed, 18 deselected, 5 warnings in 0.85s
After:
191 passed, 18 deselected in 0.66s
:return: True if step up authentication was successful; False otherwise | ||
""" | ||
auth_properties = get_auth_properties(userid=config.okta["username"], url=config.okta["org"]) | ||
if "type" not in auth_properties or not is_local_auth(auth_properties): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ℹ️ I only added support for local_auth
since I do not have access to a saml2
environment to test appropriately.
hi @ruhulio this looks amazing - let us do a bit of internal testing and come back with feedback. |
It looks like a check failed due to an error unrelated to the code changes. During
|
That was me, sorry. I was hoping to re-run tests through the auth pipeline. These new errors can be ignored. |
Hey @ruhulio, I just tested your branch and ran into a small problem. If the MFA response is passed in the command line, then the second round of authorization fails. My guess is that we need to clear DUO seemed to be a bit problematic as well, but that's secondary at this point. It's likely that once we fix that issue with the logic flow I mentioned above we will get that working as well. Happy to work with you out of band to get it to work. The code looks awesome otherwise.
|
Thanks @pcmxgti for the details on the failure you're seeing. I'll take a look at addressing the issue and get this PR updated by tomorrow (hopefully). |
Anytime. Since you are going to make changes, would you mind removing the version change in |
@@ -605,6 +634,9 @@ def totp_approval(config, selected_mfa_option, headers, mfa_challenge_url, paylo | |||
user.add_sensitive_value_to_be_masked(mfa_verify["sessionToken"]) | |||
logger.debug(f"mfa_verify [{json.dumps(mfa_verify)}]") | |||
|
|||
# Clear out any MFA response since it is no longer valid | |||
config.okta["mfa_response"] = None |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ℹ️ This should address the re-use of MFA response during step up authentication. By putting it here, I'm hoping this will catch any future™ downstream re-use issues as well.
@pcmxgti The version change has been reverted and the MFA response re-use should be addressed as well. I don't have access to a |
@ruhulio I tested locally with Step-Up (TOTP, Duo, and Push) and everything looks great. We'll add Step-up tests soon so they are part of the end-to-end automated tests. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Description
When "Extra Verification" is required in
authenticate_to_roles
, make an additional request to/api/v1/authn
using the current state token.Use
/login/sessionCookieRedirect
inauthenticate_to_roles
to ensure theHTTP_client
cookies have the values needed for step up authentication and also the device token.Add optional support for device token across session so that step up authentication does not require multiple MFA requests.
Add device token options to
config.py
.Add getting and setting the device token to
http_client.py
.Add storing the device token to the ini file to
user.py
.Add the device token options to
docs/README.md
.Related Issue
N/A
Motivation and Context
I work for
Realtor.com
which is peer organization toDowJones.com
and we are wanting to switch a tech group to usingtokendito
for generatingAWS
credentials. To fully support this group, some of the tiles require step up authentication whichtokendito
does not currently support. So, I used my insomnia time to make these changes.How Has This Been Tested?
Testing included:
Example run (with user and company specific info redacted):
Types of changes
Checklist: