Comments (17)
@nickatsegment I've had one user hit the same error in 1.0.0. I'm looking into it now.
@josacar Do you have 2FA enabled in your Okta environment, either at the user (all logins) or app (AWS) level?
Also, when you delete the okta device token
and the okta session cookie
, you say that fixes the issue. Roughly, how long does it keep working after deleting those, before you have to delete them again?
from aws-okta.
So far in our environment this seems to only happen once, after upgrade from v0.27.0 and v1.0.0, and not again after the old Okta session has been manually deleted from Keychain.
@josacar Is this the case for you as well? Can you also tell me more about your Okta 2FA requirements?
from aws-okta.
Merged and released https://github.com/segmentio/aws-okta/releases/tag/v1.0.1. @josacar please confirm and close
from aws-okta.
Merged and released https://github.com/segmentio/aws-okta/releases/tag/v1.0.1. @josacar please confirm and close
We are testing it and so far is working good, we can close the issue and reopen if needed.
Thanks you @sdann and @nickatsegment !
from aws-okta.
Do you mean that this broke between v0.27.0 and v1.0.0?
Off the top of my head, I wonder if it's this: 18e92f7
If you're code-saavy, you could try a custom build with that PR reverted.
from aws-okta.
I'm trying, however I cannot build it on my local machine.
from aws-okta.
Ok, try v0.27.0 for the time being and see if that alleviates it.
from aws-okta.
I was able to build it in my personal laptop and I can confirm reverting 18e92f7 solves the problem.
from aws-okta.
DEBU[0000] Using okta_session_cookie_key from profile: env_aws_production_super
Looks like you're using a custom cookie name. Is it possible to run without that?
Trying to decide whether we should just revert the whole patch. I think it actually fixed the case of cookies colliding when switching between accounts though. I'd argue this patch makes it more broken since it ends up failing entirely, as opposed to causing a spurious reauth
from aws-okta.
This is without a custom cookie:
$ dist/aws-okta-v1.0.0-darwin-amd64 --debug exec aws_production_ro -- aws sts get-caller-identity
DEBU[0000] Parsing config file /Users/selu/.aws/config
DEBU[0000] Using KrItemPerSessionStore
DEBU[0000] cache get `aws_production_ro session (61383132653561633237)`: miss (read error): The specified item could not be found in the keyring
DEBU[0000] Using aws_saml_url from profile aws_production_ro: home/amazon_aws/0oafwlfffff9jvXDA30x7/272
DEBU[0000] Using okta provider (okta-creds)
DEBU[0010] domain: domain.okta.com
DEBU[0011] Failed to reuse session token, starting flow from start
DEBU[0011] Step: 1
DEBU[0013] Step: 2
DEBU[0013] Step: 3
getting creds via SAML: Okta user josacar does not have the AWS app added to their account. Please contact your Okta admin to make sure things are configured properly.
from aws-okta.
@sdann you wrote the original PR; any ideas? I'm tempted to just revert the whole thing if it's breaking stuff
from aws-okta.
Unfortunately, that error message is just a catch all when Okta returns any response that doesn't include a SAMLResponse assertion. The problem could be multiple things, unrelated to whether you have permission to the Okta AWS app.
I'm able to repro that error, by changing my stored okta session cookie
to garbage. My environment requires 2FA. When a garbage session cookie is sent, along with DT my environment goes down a path of requesting 2FA via the WebUI, redirecting to:
/policy/second-factor?...
/login/login.htm?...
Then login.htm
gets parsed for a SAMLResponse section, which doesn't exist, and getting creds via SAML: Okta user does not have the AWS app...
is returned.
It's not obvious to me, how or why this flow is failing, but it seems related to 2FA. If your environment doesn't have 2FA required, then the first fix we should try is detecting that based off your config from aws-okta add
and NOT send the DT cookie for any requests.
from aws-okta.
from aws-okta.
@josacar Do you have 2FA enabled in your Okta environment, either at the user (all logins) or app (AWS) level?
We have 2FA in our Okta environment and we have always 2FA in some Okta apps, we have nothing extra in AWS.
from aws-okta.
With the current version, we're initially reusing the stored session and device token. These seem to both expire at the same time. aws-okta
detects that the session is expired and restarts the authn flow, but keeps sending the same device token.
The creds to session flow succeeds, but during the session to SAMLAssertion request, the Okta server then realizes the device token that we've been sending is expired, and prompts for 2FA again through an HTML flow.
aws-okta
doesn't have any detection for this. We could parse this 2FA prompt and restart the 2FA flow, but it's easier to clear out device token cookie at the same time we detect the session is expired.
I've got a preliminary patch that fixes my repro. I'll clean it up and do some more testing before PR.
from aws-okta.
@nickatsegment Proposed fix in PR #280
from aws-okta.
This fix is working for us pretty well, even we get the proper caching of 2FA step between profiles.
from aws-okta.
Related Issues (20)
- `go test` flaps a change in `go.mod` HOT 1
- Cut v2.0.0 HOT 1
- TouchID instead of password when prompted for keychain access HOT 2
- Support for ADFS? HOT 1
- Add release for debian/buster HOT 1
- How can I prompt for password without a tty? HOT 1
- ATTENTION: aws-okta is on indefinite hiatus HOT 36
- DUO requires enabling "OtherOS" when using aws-okta HOT 1
- can i make this work with mulesoft fabric HOT 2
- docs: Generate docs and publish to GitHub Pages HOT 1
- panic: runtime error: slice bounds out of range [308:282] HOT 2
- aws-okta for windows not updating ~/.aws/credentials file HOT 2
- aws-okta failed duo challenge HOT 6
- Getting "Enter passphrase to unlock /home/XXX/.aws-okta/" message when using aws-okta exec HOT 1
- aws-okta add giving: "Failed to validate credentials" with Correct credentials HOT 1
- Intermittent SAML and 2FA Push Notification Timeouts from Okta HOT 14
- The latest release does not have built binaries for any platform HOT 5
- Passphrase Request should be suppressed when not entered during profile setup HOT 2
- 1.0.8 mfa push fails HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aws-okta.