supporting google authenticator with Okta auth #14985
Conversation
I have tested it manually, as it would need Okta credentials. I will push the manual script into the vault-tools repo shortly. Do you still think a GO test would be needed? |
| if preferredProvider != "" && preferredProvider != v.Provider { | ||
| continue | ||
| } |
There was a problem hiding this comment.
Is this check necessary, or does the strutil.ListContains call below handle this already (both the empty provider case and the matching provider checks)?
There was a problem hiding this comment.
It is needed. Suppose I enabled Google totp, and Okta push and totp on my account. Then, this loop goes through an array containing all three enabled providers methods as the result.Embedded.Factors is populated by the third party Okta api. In this case, suppose I pass in the Google totp to the login command. However, when the loop ends, the totp factor could be populated by the okta totp. Then, MFA validation fails since I have passed in the Google totp code. The reason I introduced the provider in the command line is this. Cause without it, there is no way to distinguish whether the totp code is for Okta or Google.
The below strutil.ListContains just makes sure that we only accept Google and Okta as there are more providers than these two as mentioned in the Okta documentation.
There was a problem hiding this comment.
Ah, yes that makes sense! Somehow I overlooked where preferredProvider is coming from.
There was a problem hiding this comment.
Does this mean that if I only have Google TOTP enabled, that I'd have to explicitly set Google as the provider? Because that seems like an unworkable situation -- our org has folks with a mix of either Okta Verify or Google TOTP (but not Okta TOTP), and we can't know in advance which provider to use.
Insisting that the provider be specified should only be required if both Okta and Google TOTP are present.
There was a problem hiding this comment.
No, if you only have Google TOTP enabled in your Okta account, you don't need to pass in the provider, as result.Embedded.Factors would only have one element. The problem raises when in a single Okta account, both Okta TOTP and Google TOTP are enabled as possible providers. Here, you would need to pass in the provider. Note that if you have enabled Okta Push and Google TOTP, you would NOT need to pass in the provider.
There was a problem hiding this comment.
Thanks for clarifying @hghaf099! 🙇♂️
Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>
|
Should this be backported as well? |
|
This is more of an enhancement/improvement than a bug, so I'd think that it doesn't need to be backported. |
* supporting google authenticator with Okta auth * minor fix * CL * feedback * Update changelog/14985.txt Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com> * updating docs Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>
* supporting google authenticator with Okta auth * minor fix * CL * feedback * Update changelog/14985.txt Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com> * updating docs Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>
* supporting google authenticator with Okta auth * minor fix * CL * feedback * Update changelog/14985.txt Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com> * updating docs Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>
When authenticating via Okta, Vault does not recognize the Google provider TOTP type.
Addresses #14535