gimme-aws-creds
gimme-aws-creds copied to clipboard
Nike-Inc
Ability to specify a specific TOPT instance for preferred_mfa_type
When using both Okta and conventional TOTP for MFA, there becomes two instances of token:software:totp:
Pick a factor:
[ 0 ] token:software:totp( GOOGLE ) : [email protected]
[ 1 ] token:software:totp( OKTA ) : [email protected]
You can eliminate the Okta Verify / push by using preferred_mfa_type = token:software:totp, but you cannot specify the instance of TOTP. Could selection of a specific TOTP instance be added to avoid this prompt each time when running for a given profile?
This would be great in general -- I have the same issue with multiple FIDO keys.
It should as simple as this:
> diff -u okta.py{.orig,}
--- okta.py.orig 2021-09-28 14:43:35.023881940 +0300
+++ okta.py 2021-09-29 13:00:32.102411489 +0300
@@ -777,7 +777,7 @@
passcode['factorType'] = "passcode"
factors.append(passcode)
if self._preferred_mfa_type is not None:
- preferred_factors = list(filter(lambda item: item['factorType'] == self._preferred_mfa_type, factors))
+ preferred_factors = list(filter(lambda item: self._build_factor_name(item) == self._preferred_mfa_type, factors))
# If the preferred factor isn't in the list of available factors, we'll let the user know before
# prompting to select another.
if not preferred_factors:
After that you simply put human-friendly factor name as you see it in the Pick a factor: prompt (e.g. token:software:totp( GOOGLE ) : [email protected]) as a value for preferred_mfa_type config opt and you're good to go.
This would be great for us too! @yermulnik 's solution seems pretty easy and unlikely to have any negative side effects. Maybe if you create a PR this might get fixed soon?
I'd adjust that 'simple' code so that it first looks at just factorType (so things like specifying push don't break) and only do the _build_factor_name based matching inside the if not preferred_factors.
