Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Duo push and passcode support in Okta is too simplistic #427

Open
LucidityCrash opened this issue Aug 31, 2023 · 1 comment
Open

Duo push and passcode support in Okta is too simplistic #427

LucidityCrash opened this issue Aug 31, 2023 · 1 comment

Comments

@LucidityCrash
Copy link

The if statement in PR #217 is too simplistic, it also assumes that the user doesn't have any other MFA methods configured ... Google Authenticator for example

Expected Behavior

push and passcode options for DUO via Okta should be available if more than 1 MFA is configured.

Current Behavior

if another MFA token eg Google Authenticator is added to the Okta account along side Duo then only web: Duo is available.

Possible Solution

iterate over the list of factors and only add push & passcode to the list if provider == DUO and factortype push & passcode are not present.

Steps to Reproduce (for bugs)

Add Google Authenticator and Duo as MFA methods on an Okta account
run gimmie-aws-creds
after authentication
Pick a factor shows
[0] token:software:totp( GOOGLE ) : xxx@xxxxxxxxx
[1] web: Duo

Attaching a debugger you can see that the factors variable is :

[
{'id': 'xxxxxxxxxxxxxxxxxxxx', 'factorType': 'token:software:totp', 'provider': 'GOOGLE', 'vendorName': 'GOOGLE', 'profile': {...}, '_links': {...}}, 
{'id': 'xxxxxxxxxxxxxxxxxxxx', 'factorType': 'web', 'provider': 'DUO', 'vendorName': 'DUO', 'profile': {...}, '_links': {...}}
]

so the len of factors is 2 so the code block to add push and passcode is never executed.

Your Environment

  • App Version used: 2.7.2
  • Operating System and version: Ubuntu 22.04
@LucidityCrash
Copy link
Author

a 5 minute hack give a not exactly pretty patch replace lines 802 to 808 in okta_classic.py with :

        only_web = True
        i = 0
        j = 0
        returned_factors = len(factors)
        while i < returned_factors:
            if factors[i].get('provider') == 'DUO' and factors[i].get('factorType') != 'web':
                only_web = False
                break
            i += 1  
        
        while j < returned_factors:
            if factors[j].get('provider') == 'DUO' and factors[j].get('factorType') == 'web' and only_web:
                push = copy.deepcopy(factors[j])
                push['factorType'] = "push"
                factors.append(push)
                passcode = copy.deepcopy(factors[j])
                passcode['factorType'] = "passcode"
                factors.append(passcode)
            j += 1

But it seems to do whats needed ... the first while loop is to manage what the len(factors) = 1 check used to do and make sure that if Okta start returning push and passcode as valid Duo methods we don't add them a 2nd time (limitation here is it assumes that if they do change this they will start returning all 3 and not just add one of push or passcode), 2nd loop adds push and passcode if only duo web is present.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@LucidityCrash