vault
vault copied to clipboard
hashicorp
Token issued with Okta integration can't be renewed
Describe the bug
When logging in with the OKTA api integration , the issued token can not be renewed even though max_ttl is set much bigger than default_ttl .
The renew command does not error, but doesn't return anything, and the token is not renewed.
Others methods work as intended (regular tokens, OIDC connector...).
To Reproduce Steps to reproduce the behavior:
- log in with the okta auth
curl -s
--request POST \
--data '{"password": "<REDACTED>"}' \
https://vault.example.com:8200/v1/auth/okta/login/[email protected] | jq
{
...
"auth": {
"client_token": "<REDACTED>",
"accessor": "$accessor_id",
...
"lease_duration": 1800,
"renewable": true,
"entity_id": "UUID",
"token_type": "service",
"orphan": true,
"mfa_requirement": null,
"num_uses": 0
}
}
- Check the validity
curl -X POST -H "X-Vault-Request: true" -H "X-Vault-Token: $token" -d '{"accessor":"$accessor_id"}' https://vault.example.com:8200/v1/auth/token/lookup-accessor | jq
{
"request_id": "UUID",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
"accessor": "$accessor_id",
"creation_time": 1662381824,
"creation_ttl": 1800,
"display_name": "myself",
"entity_id": "UUID",
"expire_time": "2022-09-05T13:13:44.732699027Z",
"explicit_max_ttl": 0,
"id": "",
"issue_time": "2022-09-05T12:43:44.732711312Z",
...
"num_uses": 0,
"orphan": true,
"path": "auth/okta/login/[email protected]",
"policies": [
"admin"
],
"renewable": true,
"ttl": 1718,
"type": "service"
},
"wrap_info": null,
"warnings": null,
"auth": null
}
- Try to renew the token
curl -X POST -H "X-Vault-Token: $token" -H "X-Vault-Request: true" -d '{"accessor":"$accessor_id","increment":3600}' https://vault.example.com:8200/v1/auth/token/renew-accessor && echo OK
OK
Expected behavior
The token is expected to be renewed, and the call to /renew is expected to return a json with informations on the renewed token.
Environment:
- Vault Server Version (retrieve with
vault status): 1.11.0 - Vault CLI Version (retrieve with
vault version):Vault v1.11.3 ('17250b25303c6418c283c95b1d5a9c9f16174fe8+CHANGES'), built 2022-08-26T10:27:10Z - Server Operating System/Architecture: Fedora, x86_64
Vault server configuration file(s):
# Paste your Vault config here.
# Be sure to scrub any sensitive values
storage "raft" { }
Okta auth config is:
vault read auth/okta/config
Key Value
--- -----
base_url okta.com
...
max_ttl 72h
...
token_explicit_max_ttl 0s
token_max_ttl 72h
token_no_default_policy true
...
token_ttl 30m
token_type default
ttl 30m
Additional context
The exact same behavior is observed both with curl and with the vault cli.
If I'm reading
https://github.com/hashicorp/vault/blob/700852c583726fe142df2d0321c77d94131e37ec/builtin/credential/okta/path_login.go#L143-L183
right it seems to be saying that each renew attempt will trigger push-based MFA if available, or fail if only TOTP-based MFA is available for the account.
@DocEmmetBrown Thanks for filing this ticket. We are tracking this issue and will be pushing a fix shortly.
I am closing this issue. And, once again thanks for filing the ticket! Please feel free to reopen this issue or open a new one for further discussion.