onelogin-aws-cli
onelogin-aws-cli copied to clipboard
physera
Use MFA name instead of type
Expected Behavior
When a user is asked to choose the MFA device they would like to use to authenticate, the cli should show a list of device names instead of types (or a combination).
Example: I have 1 "OneLogin Protect"device type with the name "OneLogin Protect iPhone" and 2 "Google Authenticator" devices with names: "Google Authenticator" and "1Password OTP".
The cli would show:
Which OTP Device?
[1] OneLogin Protect iPhone
[2] Google Authenticator
[3] 1Password OTP
Current Behavior
Currently the cli only shows type, then you get this list:
Which OTP Device?
[1] OneLogin Protect
[2] Google Authenticator
[3] Google Authenticator
Possible Solution
I guess we could use user_display_name instead of type_display_name?
API Docs: https://developers.onelogin.com/quickstart/mfa
Steps to Reproduce
- add multiple MFA devices of the same type in OneLogin
- authenticate via onelogin-aws-cli
- follow steps until "Which OTP Device?" question is asked
Hm, it the user display name does't seem to appear in the datastructure we get back from the onelogin api python library.
I only see fields id type duo_api_hostname and duo_sig_request.
I see that the preferred onelogin auth flow indeed only contains those fields in the response: https://developers.onelogin.com/api-docs/1/login-page/create-session-login-token.
For this to work with the user_display_name we probably need to do an extra call requesting extra device information: https://github.com/onelogin/onelogin-python-sdk/blob/master/src/onelogin/api/models/otp_device.py
Thanks for the spelunking! Since you seem to know the api pretty well =), if you wanna throw up a PR I'd be happy to merge it and push a new release. Otherwise, I'm kinda slammed right now so won't be able to do this for a while.