def get_oauth_authorize_url(okta_session_token=None, prompt=None):
logger.debug("get_oauth_authorize_url()")
okta_auth = OktaAuth(session[SESSION_INSTANCE_SETTINGS_KEY])
auth_options = {
"response_mode": "form_post",
"scope": "openid profile email"
}
if prompt is not None:
auth_options["prompt"] = prompt
if "state" not in session:
session["oidc_state"] = str(uuid.uuid4())
else:
session["oidc_state"] = session["state"]
if okta_session_token:
auth_options["sessionToken"] = okta_session_token
oauth_authorize_url = okta_auth.create_oauth_authorize_url(
response_type="code",
state=session["oidc_state"],
auth_options=auth_options)
return oauth_authorize_url
def profile_bp():
logger.debug("profile_bp_profile()")
if request.args.get('refreshtoken') == 'true':
okta_auth = OktaAuth(session[SESSION_INSTANCE_SETTINGS_KEY])
auth_options = {
"response_mode": "form_post",
"prompt": "none",
"scope": "openid profile email"
}
session["oidc_state"] = str(uuid.uuid4())
session[FROM_URI_KEY] = request.url.replace(
"http://", "{0}://".format(session[SESSION_INSTANCE_SETTINGS_KEY]
["app_scheme"])) + "profile"
oauth_authorize_url = okta_auth.create_oauth_authorize_url(
response_type="code",
state=session["oidc_state"],
auth_options=auth_options)
return redirect(oauth_authorize_url)
else:
return render_template(
"/profile.html",
templatename=get_app_vertical(),
id_token=TokenUtil.get_id_token(request.cookies),
access_token=TokenUtil.get_access_token(request.cookies),
user_info=get_userinfo(),
config=session[SESSION_INSTANCE_SETTINGS_KEY])
def pre_reg_password_set():
print("pre_reg_password_set()")
json_data = request.get_json()
print(json_data)
password_set_response = {"success": False}
okta_auth = OktaAuth(session)
reset_response = okta_auth.reset_password_with_state_token(
json_data["stateToken"], json_data["newPassword"])
print("reset_response: {0}".format(
json.dumps(reset_response, indent=4, sort_keys=True)))
if "errorSummary" in reset_response:
password_set_response["errorMessage"] = reset_response["errorSummary"]
if "errorCauses" in reset_response:
password_set_response["errorMessages"] = []
for error_cause in reset_response["errorCauses"]:
password_set_response["errorMessages"].append(
{"errorMessage": reset_response["errorSummary"]})
else:
password_set_response = create_login_response(json_data["username"],
json_data["newPassword"],
session)
return json.dumps(password_set_response)
def oidc():
""" handler for the oidc call back of the app """
print("oidc()")
# print(request.form)
if "error" in request.form:
print("ERROR: {0}, MESSAGE: {1}".format(
request.form["error"], request.form["error_description"]))
if session["state"] == request.form["state"]:
oidc_code = request.form["code"]
# print("oidc_code: {0}".format(oidc_code))
okta_auth = OktaAuth(okta_config)
oauth_token = okta_auth.get_oauth_token(
code=oidc_code,
grant_type="authorization_code",
auth_options={
"client_id": okta_config["client_id"],
"client_secret": okta_config["client_secret"],
})
# print("oauth_token: {0}".format(json.dumps(oauth_token, indent=4, sort_keys=True)))
app_landing_page_url = okta_config["app_base_url"]
response = make_response(redirect(app_landing_page_url))
response.set_cookie('token', oauth_token["access_token"])
response.set_cookie('id_token', oauth_token["id_token"])
else:
print("FAILED TO MATCH STATE!!!")
response = make_response(redirect("/"))
session.pop("state", None)
# return response
print(response)
return response
def ecommerce_order_summary(orderid):
logger.debug("ecommerce_order_summary()")
active_order = None
user_info = get_userinfo()
okta_auth = OktaAuth(session[SESSION_INSTANCE_SETTINGS_KEY])
storefront_system_token = okta_auth.get_oauth_system_token(
session[SESSION_INSTANCE_SETTINGS_KEY]['settings']
['storefront_system_client_id'], session[SESSION_INSTANCE_SETTINGS_KEY]
['settings']['storefront_system_client_secret'],
session[SESSION_INSTANCE_SETTINGS_KEY]['settings']
['storefront_system_client_scopes'])
storefront = StorefrontFactory.getStorefrontProvider(
session[SESSION_INSTANCE_SETTINGS_KEY]['settings'], user_info,
TokenUtil.get_access_token(request.cookies),
storefront_system_token['access_token'])
if orderid is None:
active_order = session["just_submitted_order_id"]
del session["just_submitted_order_id"]
else:
active_order = orderid
order = storefront.getOrder(active_order)
return render_template("ecommerce/ordersummary.html",
order=order,
config=session[SESSION_INSTANCE_SETTINGS_KEY],
_scheme="https")
def ecommerce_order_post():
user_info = get_userinfo()
okta_admin = OktaAdmin(session[SESSION_INSTANCE_SETTINGS_KEY])
okta_auth = OktaAuth(session[SESSION_INSTANCE_SETTINGS_KEY])
storefront_system_token = okta_auth.get_oauth_system_token(
session[SESSION_INSTANCE_SETTINGS_KEY]['settings']
['storefront_system_client_id'], session[SESSION_INSTANCE_SETTINGS_KEY]
['settings']['storefront_system_client_secret'],
session[SESSION_INSTANCE_SETTINGS_KEY]['settings']
['storefront_system_client_scopes'])
storefront = StorefrontFactory.getStorefrontProvider(
session[SESSION_INSTANCE_SETTINGS_KEY]['settings'], user_info,
TokenUtil.get_access_token(request.cookies),
storefront_system_token['access_token'])
cartId = None
userId = None
logger.debug("ecommerce_order_post()")
logger.debug(request.form)
if not user_info:
cartId = session['guest_cart_id']
userId = request.form.get("email")
else:
cartId = session['customer_cart_id']
userId = user_info['email']
orderAddress = OrderShipAddress(request.form.get("firstName"),
request.form.get("lastName"),
request.form.get("address"),
request.form.get("city"),
request.form.get("state"),
request.form.get("country"),
request.form.get("zip"))
orderBilling = OrderBillingInfo(request.form.get("cc-name"),
request.form.get("cc-number"), 'visa',
request.form.get("cc-expiration-month"),
request.form.get("cc-expiration-year"),
'1234')
order = Order(None, None, orderAddress, orderBilling, None, None, None)
#Post the order
orderResponse = storefront.order(cartId, userId, order)
session["just_submitted_order_id"] = orderResponse["orderId"]
if "customer_cart_id" in session:
del session['customer_cart_id']
if "guest_cart_id" in session:
del session['guest_cart_id']
return redirect(
url_for("ecommerce_views_bp.ecommerce_order_summary",
_external="True",
_scheme=session[SESSION_INSTANCE_SETTINGS_KEY]["app_scheme"],
message="Order Complete",
orderid=orderResponse["orderId"]))
def gbac_poll_for_push_verification():
logger.debug("gbac_poll_for_push_verification()")
okta_auth = OktaAuth(session[SESSION_INSTANCE_SETTINGS_KEY])
body = request.get_json()
factor_id = body["factor_id"]
state_token = body["state_token"]
response = okta_auth.send_push(factor_id, state_token)
return json.dumps(response)
def poll_for_push_verification():
print("poll_for_push_verification()")
okta_auth = OktaAuth(session)
body = request.get_json()
factor_id = body["factor_id"]
state_token = body["state_token"]
response = okta_auth.send_push(factor_id, state_token)
return json.dumps(response)
def oidc_callback_handler():
""" handler for the oidc call back of the app """
logger.debug("oidc_callback_handler()")
response = None
logger.debug(request.form)
has_app_level_mfa_policy = False
if "code" in request.form:
oidc_code = request.form["code"]
okta_auth = OktaAuth(session[SESSION_INSTANCE_SETTINGS_KEY])
oauth_token = okta_auth.get_oauth_token(
code=oidc_code,
grant_type="authorization_code",
auth_options={
"client_id":
session[SESSION_INSTANCE_SETTINGS_KEY]["client_id"],
"client_secret":
session[SESSION_INSTANCE_SETTINGS_KEY]["client_secret"],
})
logger.debug("oauth_token: {0}".format(
json.dumps(oauth_token, indent=4, sort_keys=True)))
app_landing_page_url = get_post_login_landing_page_url()
response = make_response(redirect(app_landing_page_url))
okta_token_cookie = TokenUtil.create_encoded_okta_token_cookie(
oauth_token["access_token"], oauth_token["id_token"])
# logger.debug("okta_token_cookie: {0}".format(okta_token_cookie))
response.set_cookie(TokenUtil.OKTA_TOKEN_COOKIE_KEY, okta_token_cookie)
elif "error" in request.form:
# This is in the case there is an Okta App level MFA policy
logger.error("ERROR: {0}, MESSAGE: {1}".format(
request.form["error"], request.form["error_description"]))
if ("The client specified not to prompt, but the client app requires re-authentication or MFA."
== request.form["error_description"]):
has_app_level_mfa_policy = True
# Error occured with Accessing the app instance
if has_app_level_mfa_policy:
error_message = "Failed to Authenticate. Please remove App Level MFA Policy and use a Global MFA Policy. Error: {0} - {1}".format(
request.form["error"], request.form["error_description"])
response = gvalidation_bp_error(error_message)
else:
error_message = "Failed to Authenticate. Check to make sure the user has access to the application. Error: {0} - {1}".format(
request.form["error"], request.form["error_description"])
response = gvalidation_bp_error(error_message)
else:
# catch all error
response = gvalidation_bp_error(
"Failed to Authenticate. Check to make sure the user has access to the application."
)
return response
def verify_answer():
print("verify_answer()")
okta_auth = OktaAuth(session)
body = request.get_json()
factor_id = body["factor_id"]
state_token = body["state_token"]
answer = body["answer"]
response = okta_auth.verify_answer(factor_id, state_token, answer)
return json.dumps(response)
def gbac_stepupauth_mfa():
logger.debug("gbac_stepupauth_mfa()")
idtoken = request.form['id_token']
okta_auth = OktaAuth(session[SESSION_INSTANCE_SETTINGS_KEY])
test_token = okta_auth.introspect_mfa(
idtoken, session[SESSION_INSTANCE_SETTINGS_KEY]["settings"]
["app_stepup_auth_clientid"])
return render_template("/mfa.html",
templatename=get_app_vertical(),
config=session[SESSION_INSTANCE_SETTINGS_KEY],
idtoken=idtoken,
test_token=test_token)
def is_token_valid_remote(token):
print("is_token_valid_remote(token)")
result = False
okta_auth = OktaAuth(default_settings)
instrospect_response = okta_auth.introspect(token=token)
print("instrospect_response: {0}".format(instrospect_response))
if "active" in instrospect_response:
result = instrospect_response["active"]
return result
def gbac_verify_answer():
logger.debug("gbac_verify_answer()")
okta_auth = OktaAuth(session[SESSION_INSTANCE_SETTINGS_KEY])
body = request.get_json()
factor_id = body["factor_id"]
state_token = body["state_token"]
answer = body["answer"]
response = okta_auth.verify_answer(factor_id, state_token, answer)
return json.dumps(response)
def index():
""" handler for the root url path of the app """
print("index()")
user = None
modal_options = None
state_token = request.args.get("stateToken")
show_mfa_enroll = request.args.get("showMFAEnroll")
show_bdv = request.args.get("showBDV")
getNewTokenUrl = ""
#print("state_token: {0}".format(state_token))
#print("show_mfa_enroll: {0}".format(state_token))
#print("show_bdv: {0}".format(state_token))
session["current_title"] = "{0} | {1} Home".format(session["base_title"],
session["app_title"])
if (state_token):
print("User needs to set credentials and prove who they are")
okta_auth = OktaAuth(session)
token_state = okta_auth.get_transaction_state(state_token)
print("token_state: {0}".format(
json.dumps(token_state, indent=4, sort_keys=True)))
# Get user Claims from Id Token for signed in display
if ("token" in request.cookies and "id_token" in request.cookies):
id_token_claims = get_claims_from_token(request.cookies["id_token"])
if id_token_claims:
if "sub" in id_token_claims:
okta_admin = OktaAdmin(session)
user = okta_admin.get_user(id_token_claims["sub"])
# print("user: {0}".format(user))
modal_options = get_modal_options(id_token_claims["sub"])
if not user:
getNewTokenUrl = get_oauth_authorize_url()
response = make_response(
render_template("index.html",
site_config=session,
user=user,
modal_options=modal_options,
state_token=state_token,
show_mfa_enroll=show_mfa_enroll,
show_bdv=show_bdv,
okta_widget_container_id="okta-login-container",
getNewTokenUrl=getNewTokenUrl))
handle_invalid_tokens(session, response)
return response
def streamingservice_revoketoken():
logger.debug("streamingservice_revoketoken()")
client_id = session[SESSION_INSTANCE_SETTINGS_KEY]["settings"]["app_deviceflow_clientid"]
client_secret = session[SESSION_INSTANCE_SETTINGS_KEY]["settings"]["app_deviceflow_clientsecret"]
token = request.form['token']
tokenhint = request.form['tokenhint']
okta_auth = OktaAuth(session[SESSION_INSTANCE_SETTINGS_KEY])
okta_auth.revoke_token_with_clientid(token, client_id=client_id, client_secret=client_secret, token_type_hint=tokenhint)
return "Completed"
def get_available_factors_by_state(state_token):
""" Get all factors available by State Token """
print("get_available_factors_by_state()")
okta_auth = OktaAuth(session[SESSION_INSTANCE_SETTINGS_KEY])
transaction_state = okta_auth.get_transaction_state(state_token)
print("transaction_state: {0}".format(
json.dumps(transaction_state, indent=4, sort_keys=True)))
# available_factors = okta_admin.list_available_factors(transaction_state["_embedded"]["user"]["id"])
return json.dumps(transaction_state)
def verify_totp():
print("verify_totp()")
okta_auth = OktaAuth(session)
body = request.get_json()
pass_code = None
factor_id = body["factor_id"]
state_token = body["state_token"]
if "pass_code" in body:
pass_code = body["pass_code"]
print("verifying factor ID {0} with code {1} ({2})".format(
factor_id, pass_code, state_token))
response = okta_auth.verify_totp(factor_id, state_token, pass_code)
return json.dumps(response)
def resend_push():
print("resend_push()")
body = request.get_json()
factor_id = body["factor_id"]
if "state_token" in body:
okta_auth = OktaAuth(session)
state_token = body["state_token"]
response = okta_auth.resend_push(factor_id, state_token)
else:
okta_admin = OktaAdmin(session)
user_id = body["user_id"]
response = okta_admin.resend_push(user_id, factor_id)
return json.dumps(response)
def poll_for_push_enrollment():
print("poll_for_push_enrollment()")
body = request.get_json()
factor_id = body["factor_id"]
if "state_token" in body:
state_token = body["state_token"]
okta_auth = OktaAuth(session)
response = okta_auth.poll_for_enrollment_push(factor_id, state_token)
else:
user_id = body["user_id"]
okta_admin = OktaAdmin(session)
response = okta_admin.poll_for_enrollment_push(user_id, factor_id)
return json.dumps(response)
def gbac_resend_push():
logger.debug("gbac_resend_push()")
body = request.get_json()
factor_id = body["factor_id"]
if "state_token" in body:
okta_auth = OktaAuth(session[SESSION_INSTANCE_SETTINGS_KEY])
state_token = body["state_token"]
response = okta_auth.resend_push(factor_id, state_token)
else:
okta_admin = OktaAdmin(session[SESSION_INSTANCE_SETTINGS_KEY])
user_id = body["user_id"]
response = okta_admin.resend_push(user_id, factor_id)
return json.dumps(response)
def gbac_verify_totp():
logger.debug("gbac_verify_totp()")
okta_auth = OktaAuth(session[SESSION_INSTANCE_SETTINGS_KEY])
body = request.get_json()
pass_code = None
factor_id = body["factor_id"]
state_token = body["state_token"]
# get state with token
if "pass_code" in body:
pass_code = body["pass_code"]
logger.debug("verifying factor ID {0} with code {1} ({2})".format(factor_id, pass_code, state_token))
response = okta_auth.verify_totp(factor_id, state_token, pass_code)
return json.dumps(response)
def enroll_totp():
print("enroll_totp()")
body = request.get_json()
factor_type = body["factor_type"]
provider = body["provider"]
if "stateToken" in body:
okta_auth = OktaAuth(session)
state_token = body["state_token"]
response = okta_auth.enroll_totp(state_token, factor_type, provider)
else:
okta_admin = OktaAdmin(session)
user_id = body["user_id"]
response = okta_admin.enroll_totp(user_id, factor_type, provider)
return json.dumps(response)
def activate_totp():
print("activate_totp()")
body = request.get_json()
factor_id = body["factor_id"]
pass_code = body["pass_code"]
if "state_token" in body:
okta_auth = OktaAuth(session)
state_token = body["state_token"]
response = okta_auth.activate_totp(factor_id, state_token, pass_code)
else:
okta_admin = OktaAdmin(session)
user_id = body["user_id"]
response = okta_admin.activate_totp(user_id, factor_id, pass_code)
return json.dumps(response)
def is_admin(token):
print("is_admin(token)")
result = False
okta_auth = OktaAuth(default_settings)
check_admin = TokenUtil.get_single_claim_from_token(token,"taa")
result = check_admin
return result
def activate(user_id, okta_session_id):
print("activate(user_id, okta_session_id)")
activation_response = {}
auth_response = make_response(redirect("/"))
okta_admin = OktaAdmin(session)
user = okta_admin.get_user(user_id)
if user:
activation_response = okta_admin.activate_user(user_id,
send_email=False)
print("activation_response: {0}".format(
json.dumps(activation_response, indent=4, sort_keys=True)))
if "okta_session_id":
print("Clearing exsisting session")
clear_session_response = okta_admin.close_session(okta_session_id)
print("clear_session_response: {0}".format(
json.dumps(clear_session_response, indent=4, sort_keys=True)))
if "activationToken" in activation_response:
okta_auth = OktaAuth(session)
auth_response = okta_auth.authenticate_with_activation_token(
activation_response["activationToken"])
# print("auth_response: {0}".format(json.dumps(auth_response, indent=4, sort_keys=True)))
if "sessionToken" in auth_response:
auth_response = login_token(auth_response["sessionToken"])
# status = MFA_ENROLL
# status = PASSWORD_RESET
elif "stateToken" in auth_response:
if "MFA_ENROLL" == auth_response["status"]:
auth_response = make_response(
redirect("/?stateToken={0}&showMFAEnroll=true".format(
auth_response["stateToken"])))
elif "PASSWORD_RESET" == auth_response["status"]:
auth_response = make_response(
redirect("/?stateToken={0}&showBDV=true".format(
auth_response["stateToken"])))
else:
auth_response = make_response(
redirect("/?stateToken={0}".format(
auth_response["stateToken"])))
return auth_response
def enroll_webauthn():
print("enroll_webauthn()")
body = request.get_json()
factor_type = body["factor_type"]
provider = body["provider"]
if "stateToken" in body:
okta_auth = OktaAuth(session[SESSION_INSTANCE_SETTINGS_KEY])
state_token = body["state_token"]
response = okta_auth.enroll_webauthn(state_token, factor_type,
provider)
else:
okta_admin = OktaAdmin(session[SESSION_INSTANCE_SETTINGS_KEY])
user_id = body["user_id"]
response = okta_admin.enroll_webauthn(user_id, factor_type, provider)
return json.dumps(response)
def enroll_push():
print("enroll_push()")
body = request.get_json()
factor_type = body["factor_type"]
provider = body["provider"]
if "state_token" in body:
# this is an enrollment during the authN process
okta_auth = OktaAuth(session)
state_token = body["state_token"]
response = okta_auth.enroll_push(state_token, factor_type, provider)
else:
user_id = body["user_id"]
okta_admin = OktaAdmin(session)
response = okta_admin.enroll_push(user_id, factor_type, provider)
return json.dumps(response)
def test():
print("test()")
if ("token" in request.cookies):
okta_auth = OktaAuth(session)
introspection_results_json = okta_auth.introspect(
token=request.cookies.get("token"), headers=request.headers)
print("introspection_results_json: {0}".format(
json.dumps(introspection_results_json, indent=4, sort_keys=True)))
if "active" in introspection_results_json:
if introspection_results_json["active"]:
print("Token is Valid")
else:
print("Token is Invalid")
else:
print("Token is Invalid")
return "TEST"
def get_authorize_url():
print("get_authorize_url()")
okta_auth = OktaAuth(session)
body = request.get_json()
session_token = body["session_token"]
session["state"] = str(uuid.uuid4())
oauth_authorize_url = get_oauth_authorize_url(session_token)
response = {"authorize_url": oauth_authorize_url}
return json.dumps(response)
def get_oauth_authorize_url(okta_session_token=None):
print("get_oauth_authorize_url()")
okta_auth = OktaAuth(session)
auth_options = {
"response_mode": "form_post",
"prompt": "none",
"scope": "openid profile email"
}
if "state" not in session:
session["state"] = str(uuid.uuid4())
if okta_session_token:
auth_options["sessionToken"] = okta_session_token
oauth_authorize_url = okta_auth.create_oauth_authorize_url(
response_type="code",
state=session["state"],
auth_options=auth_options)
return oauth_authorize_url