okta-aws-cli-assume-role icon indicating copy to clipboard operation
okta-aws-cli-assume-role copied to clipboard

Published 20 hours ago verified publisher icon oktadev

Support for MFA Yubico FIDO/U2F key

Open hao-public opened this issue 6 years ago • 8 comments

Will it be possible to support the Yubico FIDO/U2F key with MFA?

hao-public avatar May 25 '18 13:05 hao-public

Yubikey MFA works already for a colleague of mine.

It doesn’t work with app-level MFA.

What are you seeing?

AlainODea avatar May 26 '18 14:05 AlainODea

I'm getting the following error when authenticating with U2F and 1.0.2 version of okta-aws-cli-assume-role, it works with the browser

Multi-Factor authentication is required. Please select a factor to use.
Factors:
[ 1 ] : FIDO u2f
[ 2 ] : Okta Verify (Push)
[ 3 ] : Okta Verify (TOTP)
Selection: 1
Exception in thread "main" java.lang.RuntimeException: You do not have access to AWS through Okta. 
Please contact your administrator.
	at com.okta.tools.saml.OktaSaml.getSamlResponseForAws(OktaSaml.java:53)
	at com.okta.tools.saml.OktaSaml.getSamlResponse(OktaSaml.java:45)
	at com.okta.tools.OktaAwsCliAssumeRole.run(OktaAwsCliAssumeRole.java:88)
	at com.okta.tools.awscli.main(awscli.java:33)

pc-fmarin avatar Jun 08 '18 01:06 pc-fmarin

@pc-fmarin do you have the AWS app assigned to you in Okta? Are you using app-level MFA?

AlainODea avatar Jun 09 '18 12:06 AlainODea

Yes I have AWS app and no it's not app level, it's one MFA for all of Okta and the apps I've got assigned

pc-fmarin avatar Jun 12 '18 12:06 pc-fmarin

@pc-fmarin this kind of failure indicates that Okta is not directly responding with a SAMLResponse.

OKTA_AWS_APP_URL must be the app embed URL. If visiting it while authenticated leads to a redirect this tool will not work.

Does OKTA_AWS_APP_URL work if you copy paste it into a web browser? Does the web browser use a proxy?

Have you tried OKTA_BROWSER_AUTH?

AlainODea avatar Jun 12 '18 22:06 AlainODea

@AlainODea when I set that property it boots a desktop app to login which has the Security Key (U2F) is not supported on this browser. Select another factor or contact your admin for assistance. error. Also the following error immediately happens in the CLI

export OKTA_BROWSER_AUTH=true
~/.okta$ ./awscli ec2 describe-instances --query 'Reservations[*].Instances[*].[InstanceId,State.Name,State.Code]' --output table --max-items 1
Exception in thread "JavaFX Application Thread" java.lang.NullPointerException
	at com.okta.tools.authentication.BrowserAuthentication.getAwsStsSamlForm(BrowserAuthentication.java:95)
	at com.okta.tools.authentication.BrowserAuthentication.getSamlResponseForAws(BrowserAuthentication.java:89)
	at com.okta.tools.authentication.BrowserAuthentication.checkForAwsSamlSignon(BrowserAuthentication.java:82)
	at com.okta.tools.authentication.BrowserAuthentication.lambda$start$0(BrowserAuthentication.java:69)
	at com.sun.javafx.binding.ExpressionHelper$SingleChange.fireValueChangedEvent(ExpressionHelper.java:182)
	at com.sun.javafx.binding.ExpressionHelper.fireValueChangedEvent(ExpressionHelper.java:81)
	at javafx.beans.property.ReadOnlyObjectPropertyBase.fireValueChangedEvent(ReadOnlyObjectPropertyBase.java:74)
	at javafx.beans.property.ReadOnlyObjectWrapper.fireValueChangedEvent(ReadOnlyObjectWrapper.java:102)
	at javafx.beans.property.ObjectPropertyBase.markInvalid(ObjectPropertyBase.java:112)
	at javafx.beans.property.ObjectPropertyBase.set(ObjectPropertyBase.java:146)
	at javafx.scene.web.WebEngine$LoadWorker.updateState(WebEngine.java:1287)
	at javafx.scene.web.WebEngine$LoadWorker.dispatchLoadEvent(WebEngine.java:1401)
	at javafx.scene.web.WebEngine$LoadWorker.access$1200(WebEngine.java:1280)
	at javafx.scene.web.WebEngine$PageLoadListener.dispatchLoadEvent(WebEngine.java:1267)
	at com.sun.webkit.WebPage.fireLoadEvent(WebPage.java:2516)
	at com.sun.webkit.WebPage.fwkFireLoadEvent(WebPage.java:2360)
	at com.sun.webkit.network.URLLoader.twkDidFinishLoading(Native Method)
	at com.sun.webkit.network.URLLoader.notifyDidFinishLoading(URLLoader.java:871)
	at com.sun.webkit.network.URLLoader.lambda$didFinishLoading$103(URLLoader.java:862)
	at com.sun.javafx.application.PlatformImpl.lambda$null$172(PlatformImpl.java:295)
	at java.security.AccessController.doPrivileged(Native Method)
	at com.sun.javafx.application.PlatformImpl.lambda$runLater$173(PlatformImpl.java:294)
	at com.sun.glass.ui.InvokeLaterDispatcher$Future.run(InvokeLaterDispatcher.java:95)

is it possible to boot the browser experience (assuming it's working) after choosing authentication in the cli ?

~/.okta$ ./awscli ec2 describe-instances --query 'Reservations[*].Instances[*].[InstanceId,State.Name,State.Code]' --output table --max-items 1
Username: [email protected]
Password:

Multi-Factor authentication is required. Please select a factor to use.
Factors:
[ 1 ] : FIDO u2f
[ 2 ] : Okta Verify (Push)
[ 3 ] : Okta Verify (TOTP)
Selection: 1
Exception in thread "main" java.lang.RuntimeException: You do not have access to AWS through Okta.
Please contact your administrator.
	at com.okta.tools.saml.OktaSaml.getSamlResponseForAws(OktaSaml.java:53)
	at com.okta.tools.saml.OktaSaml.getSamlResponse(OktaSaml.java:45)
	at com.okta.tools.OktaAwsCliAssumeRole.run(OktaAwsCliAssumeRole.java:88)

pc-fmarin avatar Jun 21 '18 19:06 pc-fmarin

@pc-fmarin interesting. It looks like my colleague was using a Yubikey in a token mode rather than FIDO U2F mode.

FIDO U2F will likely require an integration with a full browser like Firefox, Microsoft Edge, or Chrome. Okta's FIDO U2F verification flow requires calling a JavaScript API that the embedded WebKit in JavaFX WebView appears not to support: https://developer.okta.com/docs/api/resources/factors#verify-u2f-factor

Caveat: I'm not an Okta employee. I get no compensation for investigating or fixing these issues. I'm quite busy with other projects, so someone else will need to step in.

AlainODea avatar Jun 22 '18 00:06 AlainODea

It's possible to handle U2F on the CLI, but dumping to a browser is probably easier.

smiller171 avatar Jun 25 '19 20:06 smiller171