Supporting OKTA app login instead of API key

[xophere]

Was sure the best way to make a feature request here. What I really need is a ways to auth to Okta to create and admin API with a limited duration from the command line. In this case you could also then have it interact with the config from that id. Or simply print or set that short term key to an env var I could use elsewhere.

[flypenguin]

I don't really understand that. what do you mean by "create an admin API"? an API key? also short-term might not be possible - I just tell Okta what to do, if Okta does noth provide "short-term API (keys?)" I can do nothing. Cause once I created something client execution ends, and if the created thing does not cancel itself there's nothing I can do about it.

so any link or additional detail might help!

[xophere]

So as an admin user I can login to the user interface and do things like create and API key. It would be really useful to be able to do that from your cli tool. Specifically for automation cases where ideally you don't just preshare a key but you have users with 2fac who authenticate as themselves and then can do admi level tasks. Yeah clearly you are dependent on the api making this possible. Since Okta keys expire and are bit of a pain to create just to do admin work... And clearly there are clients for okta that can authenticate with 2fac from the command line it just seems like it might be a killer way to prevent admin users from having to use that horrible gui like ever.

So in our AWS config we have individual long lasting keys. We use that and 2 factor to get a short term token to do admin work. That admin token expires. But we wrap it all up in a tool called vaulted. It would be great to be able to something like this with okta-cli. I mean it wouldn't have to be exactly the same.

On Sat, May 22, 2021 at 1:40 AM Axel Bock @.***> wrote:

I don't really understand that. what do you mean by "create an admin API"? an API key? also short-term might not be possible - I just tell Okta what to do, if Okta does noth provide "short-term API (keys?)" I can do nothing. Cause once I created something client execution ends, and if the created thing does not cancel itself there's nothing I can do about it.

so any link or additional detail might help!

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/flypenguin/okta-cli/issues/7#issuecomment-846375951, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADYOOK2GQ4S7YHAADIRQ6ILTO5UZPANCNFSM44ZBALPQ .

[CoreySmithRing]

I was coming to submit a case for the same thing and wonder how hard this would be to accomplish. It would be nice to offer the capability have the cli authenticate against and okta application as the user instead of using a longer lived api token. This may give the ability to have a user who is not an admin get privileged access to things in okta while also only having short lived sessions (depending on your user session configuration).

[gabrielsroka]

it's not hard. https://github.com/gabrielsroka/okta_api/blob/90e7c70d0500f7cadcf0a2a570aa9cb99298b1fc/okta_auth.py#L30-L47

it even supports, eg, push https://github.com/gabrielsroka/okta_api/blob/90e7c70d0500f7cadcf0a2a570aa9cb99298b1fc/okta_auth.py#L49-L66

u can ignore most of the rest of the file..