Auth Failures to OKTA - auth_result redirect_uri failures due to localhost

[iniquityx2]

Expected Behavior

I should be able to auth against OKTA after entering my password and MFA token

Current Behavior

Starting this afternoon ( with no updates to the gimme-aws-creds application) numerous people encountered the exception below when trying to authenticate against OKTA. Earlier today there was no issue. We expect a change was made on the OKTA side. We do not see anything on their status page currently.

Other OKTA login tools are working.

Possible Solution

This solution got the application working again. In short it looks like http://localhost:8080/login was previously accepted but now it's not and we get a 403 response back.

update this line: auth_result = self.okta.auth_session() as so: auth_result = self.okta.auth_session(redirect_uri=self.conf_dict.get('app_url'))

Your Environment

2.3.1 and 2.4.1 both had same issues Python 3.8 Windows 10 & Mac experiencing same issue (haven't tested on linux yet)

#exception from Gimme-Aws-Creds

❯gimme-aws-creds Using password from keyring for $SCRUBBED Multi-factor Authentication required. token:software:totp( GOOGLE ) :Enter verification code: Traceback (most recent call last): File "/Users/$SCRUBBED/.asdf/installs/python/3.9.5/bin/gimme-aws-creds", line 17, in GimmeAWSCreds().run() File "/Users/$SCRUBBED/.asdf/installs/python/3.9.5/lib/python3.9/site-packages/gimme_aws_creds/main.py", line 469, in run self._run() File "/Users/$SCRUBBED/.asdf/installs/python/3.9.5/lib/python3.9/site-packages/gimme_aws_creds/main.py", line 802, in _run for data in self.iter_selected_aws_credentials(): File "/Users/$SCRUBBED/.asdf/installs/python/3.9.5/lib/python3.9/site-packages/gimme_aws_creds/main.py", line 773, in iter_selected_aws_credentials for role in self.aws_selected_roles: File "/Users/$SCRUBBED/.asdf/installs/python/3.9.5/lib/python3.9/site-packages/gimme_aws_creds/main.py", line 672, in aws_selected_roles selected_roles = self._get_selected_roles(self.requested_roles, self.aws_roles) File "/Users/$SCRUBBED/.asdf/installs/python/3.9.5/lib/python3.9/site-packages/gimme_aws_creds/main.py", line 663, in aws_roles self.saml_data['SAMLResponse'], File "/Users/$SCRUBBED/.asdf/installs/python/3.9.5/lib/python3.9/site-packages/gimme_aws_creds/main.py", line 654, in saml_data self._cache['saml_data'] = saml_data = self.okta.get_saml_response(self.aws_app['links']['appLink']) File "/Users/$SCRUBBED/.asdf/installs/python/3.9.5/lib/python3.9/site-packages/gimme_aws_creds/main.py", line 647, in aws_app self._cache['aws_app'] = aws_app = self._get_selected_app(self.conf_dict.get('aws_appname'), self.aws_results) File "/Users/$SCRUBBED/.asdf/installs/python/3.9.5/lib/python3.9/site-packages/gimme_aws_creds/main.py", line 600, in aws_results self.auth_session File "/Users/$SCRUBBED/.asdf/installs/python/3.9.5/lib/python3.9/site-packages/gimme_aws_creds/main.py", line 582, in auth_session auth_result = self.okta.auth_session() File "/Users/$SCRUBBED/.asdf/installs/python/3.9.5/lib/python3.9/site-packages/gimme_aws_creds/okta.py", line 183, in auth_session "session": response.cookies['sid'], File "/Users/$SCRUBBED/.asdf/installs/python/3.9.5/lib/python3.9/site-packages/requests/cookies.py", line 328, in getitem return self._find_no_duplicates(name) File "/Users/$SCRUBBED/.asdf/installs/python/3.9.5/lib/python3.9/site-packages/requests/cookies.py", line 399, in _find_no_duplicates raise KeyError('name=%r, domain=%r, path=%r' % (name, domain, path)) KeyError: "name='sid', domain=None, path=None"

[niklasvm]

I can confirm I am also receiving this error suddenly. I have not carried out any package updates recently

[inadler]

We are having the same issue

[ChristophShyper]

This is very urgent matter.

I've opened also ticket on Okta side https://support.okta.com/help/s/question/0D54z000072DT6HCAW/gimmeawscreds-broke-aws-sso?language=en_US

[autarchprinceps]

Hmm, I have tried the possible solution, and it didn't fix the issue for me.

[runningman84]

update this line: auth_result **** did not work for me:

I still get:

Traceback (most recent call last):
  File "/usr/local/bin/gimme-aws-creds", line 17, in <module>
    GimmeAWSCreds().run()
  File "/usr/local/Cellar/gimme-aws-creds/2.4.1/libexec/lib/python3.9/site-packages/gimme_aws_creds/main.py", line 469, in run
    self._run()
  File "/usr/local/Cellar/gimme-aws-creds/2.4.1/libexec/lib/python3.9/site-packages/gimme_aws_creds/main.py", line 804, in _run
    for data in self.iter_selected_aws_credentials():
  File "/usr/local/Cellar/gimme-aws-creds/2.4.1/libexec/lib/python3.9/site-packages/gimme_aws_creds/main.py", line 775, in iter_selected_aws_credentials
    for role in self.aws_selected_roles:
  File "/usr/local/Cellar/gimme-aws-creds/2.4.1/libexec/lib/python3.9/site-packages/gimme_aws_creds/main.py", line 674, in aws_selected_roles
    selected_roles = self._get_selected_roles(self.requested_roles, self.aws_roles)
  File "/usr/local/Cellar/gimme-aws-creds/2.4.1/libexec/lib/python3.9/site-packages/gimme_aws_creds/main.py", line 665, in aws_roles
    self.saml_data['SAMLResponse'],
  File "/usr/local/Cellar/gimme-aws-creds/2.4.1/libexec/lib/python3.9/site-packages/gimme_aws_creds/main.py", line 656, in saml_data
    self._cache['saml_data'] = saml_data = self.okta.get_saml_response(self.aws_app['links']['appLink'])
  File "/usr/local/Cellar/gimme-aws-creds/2.4.1/libexec/lib/python3.9/site-packages/gimme_aws_creds/okta.py", line 725, in get_saml_response
    raise RuntimeError(saml_error)
RuntimeError: Did not receive SAML Response after successful authentication [https://example.okta-emea.com/home/amazon_aws/xxxxxxxxxx/272]

An error occurred (ExpiredToken) when calling the AssumeRole operation: The security token included in the request is expired
gimme-aws-creds did not work correctly try it manually

[thorbenheins]

The workaround (as committed in fd01e7e) works for me and my team.

[ChristophShyper]

@runningman84 Your error is a totally different one.

[autarchprinceps]

@ChristophShyper If one doesn't change the auth_result the same error as mentioned in the ticket occurs, the different error only comes after the change suggested.

[ChristophShyper]

@autarchprinceps It's probably because of the difference in SAML configuration. Please make sure you follow AWS and Okta documentation and use newest gimme-aws-creds.

[autarchprinceps]

We are running on 2.4.1 and it has worked until today. No changes to AWS or Okta configs have been made on our side that I'm aware of.

[goshiz]

The workaround (as committed in fd01e7e) works for me and my team.

Tested and approved.

[therealsebo]

@runningman84 Your error is a totally different one.

@ChristophShyper I´m facing the exact same issue. To get rid of the error we have comment out the following line https://github.com/Nike-Inc/gimme-aws-creds/blob/9fd4c4835315413b3104be601ac7e16b81bd0715/gimme_aws_creds/okta.py#L1032

We´re using an OKTA tenant in EMEA and don´t have an english title "Extra Verification" but instead a german one "Zusätzliche Bestätigung". Is it possible to handle the title text more generic?

[ChristophShyper]

@therealsebo I don't know, I'm just a user of of gimme-aws-creds same as you. If you know how to fix it then propose a pull request for it. But it should be ready for any translation, I believe.

@autarchprinceps do you also use language other than English?

[autarchprinceps]

Hmm, when using it through the browser the pages are all in English, but theresalsebo's fix works for me.

[therealsebo]

@ChristophShyper is it possible to call the OKTA Api with a fixed language of "en"? If we change our user profiles from default "german" to "english" it worked for us. Maybe it is the more generic way to call the API alway with language "en" instead of maintaining a dictionary of possible titles

[gyang-vonage]

I'm building docker image locally, the fixes works for me.

[ChristophShyper]

Fix released https://github.com/Nike-Inc/gimme-aws-creds/releases/tag/v2.4.2

[dland-ethos]

Happy this is getting addressed but it looks like the push to pypi failed: https://github.com/Nike-Inc/gimme-aws-creds/actions/runs/983595057

[RyPeck]

Looks like the version at https://github.com/Nike-Inc/gimme-aws-creds/blob/master/gimme_aws_creds/init.py#L2 needs to be updated.

[ranjithvaddepally]

I've tried to install it, it doesn't have the latest version

pip install gimme-aws-creds==2.4.2 ERROR: Could not find a version that satisfies the requirement gimme-aws-creds==2.4.2 (from versions: 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.6, 1.1.7, 1.1.8, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.2.0, 2.2.1, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.4.0, 2.4.1) ERROR: No matching distribution found for gimme-aws-creds==2.4.2

Also I've downloaded the source code and tried but still hitting with same error

[demo@test gimme-aws-creds-2.4.2]$ cd bin/ [demo@test bin]$ ls gimme-aws-creds gimme-aws-creds.cmd [demo@test bin]$ ./gimme-aws-creds /home/demo/aws_access/lib/python3.6/site-packages/secretstorage/dhcrypto.py:16: CryptographyDeprecationWarning: int_from_bytes is deprecated, use i nt.from_bytes instead from cryptography.utils import int_from_bytes /home/demo/aws_access/lib/python3.6/site-packages/secretstorage/util.py:25: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.f rom_bytes instead from cryptography.utils import int_from_bytes Okta Password for demo: Traceback (most recent call last): File "./gimme-aws-creds", line 17, in GimmeAWSCreds().run() File "/home/demo/aws_access/lib/python3.6/site-packages/gimme_aws_creds/main.py", line 469, in run self._run() File "/home/demo/aws_access/lib/python3.6/site-packages/gimme_aws_creds/main.py", line 802, in _run for data in self.iter_selected_aws_credentials(): File "/home/demo/aws_access/lib/python3.6/site-packages/gimme_aws_creds/main.py", line 773, in iter_selected_aws_credentials for role in self.aws_selected_roles: File "/home/demo/aws_access/lib/python3.6/site-packages/gimme_aws_creds/main.py", line 672, in aws_selected_roles selected_roles = self._get_selected_roles(self.requested_roles, self.aws_roles) File "/home/demo/aws_access/lib/python3.6/site-packages/gimme_aws_creds/main.py", line 663, in aws_roles self.saml_data['SAMLResponse'], File "/home/demo/aws_access/lib/python3.6/site-packages/gimme_aws_creds/main.py", line 654, in saml_data self._cache['saml_data'] = saml_data = self.okta.get_saml_response(self.aws_app['links']['appLink']) File "/home/demo/aws_access/lib/python3.6/site-packages/gimme_aws_creds/main.py", line 647, in aws_app self._cache['aws_app'] = aws_app = self._get_selected_app(self.conf_dict.get('aws_appname'), self.aws_results) File "/home/demo/aws_access/lib/python3.6/site-packages/gimme_aws_creds/main.py", line 600, in aws_results self.auth_session File "/home/demo/aws_access/lib/python3.6/site-packages/gimme_aws_creds/main.py", line 582, in auth_session auth_result = self.okta.auth_session() File "/home/demo/aws_access/lib/python3.6/site-packages/gimme_aws_creds/okta.py", line 183, in auth_session "session": response.cookies['sid'], File "/home/demo/aws_access/lib/python3.6/site-packages/requests/cookies.py", line 328, in getitem return self._find_no_duplicates(name) File "/home/demo/aws_access/lib/python3.6/site-packages/requests/cookies.py", line 399, in _find_no_duplicates raise KeyError('name=%r, domain=%r, path=%r' % (name, domain, path)) KeyError: "name='sid', domain=None, path=None"

[ChristophShyper]

Looks like the version at https://github.com/Nike-Inc/gimme-aws-creds/blob/master/gimme_aws_creds/init.py#L2 needs to be updated.

@bwynsm can you have a look at version there? Pip is throwing File already exists. See https://pypi.org/help/#file-name-reuse for more information.

EDIT: Confirming now version 2.4.3 installed from pip works properly :) Thank you all for fixing it.

[jonotto]

Thanks for these changes @ChristophShyper. It has resolved our issues. I'm really curious what changed in Okta's platform. It appears their weekly update began on 6/28, although I'm not really seeing anything overly obvious in the fixes.

https://help.okta.com/en/prod/Content/Topics/ReleaseNotes/production.htm#Weekly-2106

[mjuszczak]

Thank you for the updates. Would it be possible to release 2.4.3 to homebrew?

[ChristophShyper]

I opened a ticket in Okta, but no response https://support.okta.com/help/s/question/0D54z000072DT6HCAW/gimmeawscreds-broke-aws-sso?language=en_US&t=1624982233632

[jphuynh]

In case anyone hits the same issue, version 2.4.3 worked for us but only after adding the app_url value in our ~/.okta_aws_login_config config file. (It used to work without that attribute)

ie:

app_url  = https://yourOrg.okta.com

[flangr-lucid]

In case anyone hits the same issue, version 2.4.3 worked for us but only after adding the app_url value in our ~/.okta_aws_login_config config file. (It used to work without that attribute)

ie:

app_url  = 'https://yourOrg.okta.com'

Thanks! If someone is still struggling, try removing ' quotation marks around URL string (helped in my case).

[jphuynh]

Thanks! If someone is still struggling, try removing ' quotation marks around URL string (helped in my case).

Ah right good spot thanks. Sorry bad copy paste from me. (Edited my original comment)

[pulkitgupta378]

Upgrading gimme-aws-creds to version 2.43 fixed this issue for me. pip3 install --upgrade gimme-aws-creds

[li2]

Upgrading gimme-aws-creds to version 2.43 fixed this issue for me. pip3 install --upgrade gimme-aws-creds

I tried and can see "Successfully installed gimme-aws-creds-2.4.3" but it shows 2.3.5 when I check the version, any suggestions? thanks

Installing collected packages: gimme-aws-creds Successfully installed gimme-aws-creds-2.4.3 $ gimme-aws-creds --version gimme-aws-creds 2.3.5

[ChristophShyper]

How proficient are you with *nix systems? Probably you have other installation of gimme-aws-creds, e.g. from brew, manual instal, etc.