hashicorp
Add Login MFA support for Okta TOTP
Closes #24562
I tested this by running the tests in vault/external_tests/identity/login_mfa_okta_test.go. I ran them separately with Okta push and with Okta TOTP. I had to modify the tests to get them working with Okta TOTP since that is a new feature.
I cannot test the Policy MFA feature as that is only in Vault Enterprise. Would someone from HashiCorp please run that test and make sure I didn't break anything?
I needed a backport to 1.12.x, so I went ahead and created a branch on top of each of these release branches. Also, this means that my contribution can be used under the appropriate license of the older branches.
-
release/1.12.x: backport/loginmfa-okta-totp/1.12.x (MPL 2.0) -
release/1.13.x: backport/loginmfa-okta-totp/1.13.x (MPL 2.0) -
release/1.14.x: backport/loginmfa-okta-totp/1.14.x (MPL 2.0) -
release/1.15.x: backport/loginmfa-okta-totp/1.15.x (BUSL 1.1)
I have run the Okta TOTP and Okta Push test in each of these backport branches successfully.
I'm sharing this here for reference, I don't expect HashiCorp to release this feature for any previous releases.
Thanks for this contribution and I apologize for the delay! We'll have our engineer on Community assignment check it out ASAP. Again, I'm sorry it took longer than we'd like for the review to happen.
Hey there! Just wanted to give you a heads up that I spent most of my day on this and I've made progress, but I'll be handing this over to the next engineer on Monday when our 'shifts' change over, and making sure they have all of the context to give this their full attention, as I don't want to rush this review and I had some trouble with my Okta setup.
I mostly wanted to let you know so that you know we're working on it, and also the heads up not to be alarmed when someone else starts looking at this (it's not that I abandoned it, quite the opposite)! Thanks again for the submission!
It took me some time to get my dev Okta setup as well. 🙂 Thank you for reviewing and for letting me know how it's going.
@cognifloyd wanted to keep you up to date with this as it's been a few days.
This week is the last week before code freeze for out next major vault release (1.16) RC so, although everyone is really excited about this feature we don't think that we can give enough testing attention and lead time to others who need to know what is changing etc. to get it merged before Friday. We still want to target getting merged for 1.17 though!
Violet handed over to me so I will continue to work on testing and getting this ready to merge, but I'll need to focus this week on some other priorities that need to be done before Friday.
I'll pick testing this PR up next week, assess what's left to do and either work through or get the completion on our roadmap in time for 1.17. I'll keep you posted!
Thanks again for a great contribution, we're really excited to have a meaningful feature contribution and really grateful for all your hard work on this so far ❤️ .
After some days of learning about Okta...
I've verified the following:
-
TestOktaEngineMFAappears to behave the same(ish) way before and after this PR other than the sensible ENV var changes.- This one is a bit odd though because I'm not really sure that it's behaving correctly - even when my Okta org is setup to require MFA it still seems to allow a login without pinging my phone and passes the test, but this was true before too so is more likely my Okta set up.
-
TestInteg_LoginMFAOktaworks both withOKTA_USE_TOTPunset and set to 1- In Community Edition ✅
- In Enterprise ✅
-
TestInteg_PolicyMFAOkta❌ in Enterprise (after merging this branch changes locally)- Needed a few minor tweaks (e.g. to add
use_passcodeto the Ent-only endpoint schema - So far I've not gotten that test to pass possibly due to configuration issues on the OKTA side. I'm still seeing
TestInteg_PolicyMFAOkta.core0.system.mfa: validation failed: method=my_okta error="no users found for e-mail address"even those theOKTA_USERNAMEwhich is set to the entitie'smetadata.emailand then consumed from there in theusername_formatconfig all looks to be correct. The same credentials/account worked for LoginMFA so it's likely something in the config here rather than this PR.
- Needed a few minor tweaks (e.g. to add
Next Steps
I'm going to keep working on this for the rest of my day here to see if I can work out what is going on with that PolicyMFA test, but either way I'm not going to get this merged today.
I'm going to create internal issue tracking the last bits to get this merged for 1.17 and make sure that is triaged by the core team so they can ensure it happens early rather than be handed off to successive engineers on our sustaining rotation.
@cognifloyd this does probably mean that it will be a few weeks before it is picked up again as we will wait until after the 1.16 release branch is cut before we merge this now. That is going to be 10 days from now earliest. Apologies that is probably slower than you might have hoped! We have the usual organizational machinery to align with here!
I don't anticipate any issues with this getting merged for 1.17. TODO (internally):
- Get
PolicyMFAtest to pass in Ent - PR the Ent-only counterpart to this just adding the required plumbing to ent-only code
- Figure out whether we need to refactor any of the other Okta testing while we are here since there is still some uncertainty about whether the test behavior we see is actually expected. (That behavior isn't changed by this PR so not a blocker but some of the comments added to
TestOktaEngineMFAprovoked interesting uncertainty about how things were intended to work around Okta auth method + MFA).
Thanks for working on this! I'm glad to see progress even if it's not quite to the finish line.
If it would be helpful, I can jump on a call to show you how I configured my dev okta org.
Now that the 1.16 branch has been cut, can we get this merged for 1.17?
release/1.16.x branch: https://github.com/hashicorp/vault/tree/release/1.16.x
1.16.0 release: https://github.com/hashicorp/vault/releases/tag/v1.16.0 (released March 26, 2024)
1.16.1 release: https://github.com/hashicorp/vault/releases/tag/v1.16.1 (released April 4, 2024)
Hey 👋🏼 any news on this PR's progress? Thank you all for your valuable work!
@banks @VioletHynes @hsimon-hashicorp 1.16 has been released. What is left before we can merge this?
@banks @VioletHynes @hsimon-hashicorp 1.16 has been released. What is left before we can merge this?
Hi there! Thanks for the ping. I've bubbled this up to our teams, as there's some additional work we'd like to do for this. We'll try not to keep you waiting too long. Please feel free to re-ping as needed at any time! :)
@hsimon-hashicorp @VioletHynes @banks Has anyone picked up / started working on the internal tasks required to get this merged? Is there anything I can do to facilitate that work?
Amazing. This is looking great!
Thanks again @cognifloyd for the awesome feature.
We're going to have to sit on this approval for a little bit until the 1.16 release branch is cut probably next week before we merge, we'll also need to have some code ready on the Enterprise side to ensure it merges smoothly (e.g. to add the use_passcode field to the ent-only MFA endpoints). I've created a ticket internally to track that though and set the milestone to 1.17 so it should certainly happen now, hopefully soon but that will be depend on how soon others on the team transition onto tasks for that release!
@banks @VioletHynes @hsimon-hashicorp This PR was approved at the beginning of February. It is now half way through May. Has anyone been assigned your internal enterprise ticket yet?
@banks @VioletHynes @hsimon-hashicorp @peteski22 Please please please would someone please work on the enterprise side of this? What is the hold up? Is there something I can sign so that I can work on the enterprise code?
Another month has passed and another release has been cut:
- https://github.com/hashicorp/vault/releases/tag/v1.17.0
- https://github.com/hashicorp/vault/tree/release/1.17.x
@banks @VioletHynes @hsimon-hashicorp @peteski22 Please please please would someone please work on the enterprise side of this? What is the hold up? Is there something I can sign so that I can work on the enterprise code?
Another month has passed and another release has been cut:
Hi there! I'm sorry for the delay. At this time I don't have any news to share, but I am going to bubble this feedback up to our engineering and product teams. I appreciate your efforts, as well as your patience. Thanks so much for hanging in there with us.