def get_oauth_authorize_url(okta_session_token=None, prompt=None): logger.debug("get_oauth_authorize_url()") okta_auth = OktaAuth(session[SESSION_INSTANCE_SETTINGS_KEY]) auth_options = { "response_mode": "form_post", "scope": "openid profile email" } if prompt is not None: auth_options["prompt"] = prompt if "state" not in session: session["oidc_state"] = str(uuid.uuid4()) else: session["oidc_state"] = session["state"] if okta_session_token: auth_options["sessionToken"] = okta_session_token oauth_authorize_url = okta_auth.create_oauth_authorize_url( response_type="code", state=session["oidc_state"], auth_options=auth_options) return oauth_authorize_url
def profile_bp(): logger.debug("profile_bp_profile()") if request.args.get('refreshtoken') == 'true': okta_auth = OktaAuth(session[SESSION_INSTANCE_SETTINGS_KEY]) auth_options = { "response_mode": "form_post", "prompt": "none", "scope": "openid profile email" } session["oidc_state"] = str(uuid.uuid4()) session[FROM_URI_KEY] = request.url.replace( "http://", "{0}://".format(session[SESSION_INSTANCE_SETTINGS_KEY] ["app_scheme"])) + "profile" oauth_authorize_url = okta_auth.create_oauth_authorize_url( response_type="code", state=session["oidc_state"], auth_options=auth_options) return redirect(oauth_authorize_url) else: return render_template( "/profile.html", templatename=get_app_vertical(), id_token=TokenUtil.get_id_token(request.cookies), access_token=TokenUtil.get_access_token(request.cookies), user_info=get_userinfo(), config=session[SESSION_INSTANCE_SETTINGS_KEY])
def pre_reg_password_set(): print("pre_reg_password_set()") json_data = request.get_json() print(json_data) password_set_response = {"success": False} okta_auth = OktaAuth(session) reset_response = okta_auth.reset_password_with_state_token( json_data["stateToken"], json_data["newPassword"]) print("reset_response: {0}".format( json.dumps(reset_response, indent=4, sort_keys=True))) if "errorSummary" in reset_response: password_set_response["errorMessage"] = reset_response["errorSummary"] if "errorCauses" in reset_response: password_set_response["errorMessages"] = [] for error_cause in reset_response["errorCauses"]: password_set_response["errorMessages"].append( {"errorMessage": reset_response["errorSummary"]}) else: password_set_response = create_login_response(json_data["username"], json_data["newPassword"], session) return json.dumps(password_set_response)
def oidc(): """ handler for the oidc call back of the app """ print("oidc()") # print(request.form) if "error" in request.form: print("ERROR: {0}, MESSAGE: {1}".format( request.form["error"], request.form["error_description"])) if session["state"] == request.form["state"]: oidc_code = request.form["code"] # print("oidc_code: {0}".format(oidc_code)) okta_auth = OktaAuth(okta_config) oauth_token = okta_auth.get_oauth_token( code=oidc_code, grant_type="authorization_code", auth_options={ "client_id": okta_config["client_id"], "client_secret": okta_config["client_secret"], }) # print("oauth_token: {0}".format(json.dumps(oauth_token, indent=4, sort_keys=True))) app_landing_page_url = okta_config["app_base_url"] response = make_response(redirect(app_landing_page_url)) response.set_cookie('token', oauth_token["access_token"]) response.set_cookie('id_token', oauth_token["id_token"]) else: print("FAILED TO MATCH STATE!!!") response = make_response(redirect("/")) session.pop("state", None) # return response print(response) return response
def ecommerce_order_summary(orderid): logger.debug("ecommerce_order_summary()") active_order = None user_info = get_userinfo() okta_auth = OktaAuth(session[SESSION_INSTANCE_SETTINGS_KEY]) storefront_system_token = okta_auth.get_oauth_system_token( session[SESSION_INSTANCE_SETTINGS_KEY]['settings'] ['storefront_system_client_id'], session[SESSION_INSTANCE_SETTINGS_KEY] ['settings']['storefront_system_client_secret'], session[SESSION_INSTANCE_SETTINGS_KEY]['settings'] ['storefront_system_client_scopes']) storefront = StorefrontFactory.getStorefrontProvider( session[SESSION_INSTANCE_SETTINGS_KEY]['settings'], user_info, TokenUtil.get_access_token(request.cookies), storefront_system_token['access_token']) if orderid is None: active_order = session["just_submitted_order_id"] del session["just_submitted_order_id"] else: active_order = orderid order = storefront.getOrder(active_order) return render_template("ecommerce/ordersummary.html", order=order, config=session[SESSION_INSTANCE_SETTINGS_KEY], _scheme="https")
def ecommerce_order_post(): user_info = get_userinfo() okta_admin = OktaAdmin(session[SESSION_INSTANCE_SETTINGS_KEY]) okta_auth = OktaAuth(session[SESSION_INSTANCE_SETTINGS_KEY]) storefront_system_token = okta_auth.get_oauth_system_token( session[SESSION_INSTANCE_SETTINGS_KEY]['settings'] ['storefront_system_client_id'], session[SESSION_INSTANCE_SETTINGS_KEY] ['settings']['storefront_system_client_secret'], session[SESSION_INSTANCE_SETTINGS_KEY]['settings'] ['storefront_system_client_scopes']) storefront = StorefrontFactory.getStorefrontProvider( session[SESSION_INSTANCE_SETTINGS_KEY]['settings'], user_info, TokenUtil.get_access_token(request.cookies), storefront_system_token['access_token']) cartId = None userId = None logger.debug("ecommerce_order_post()") logger.debug(request.form) if not user_info: cartId = session['guest_cart_id'] userId = request.form.get("email") else: cartId = session['customer_cart_id'] userId = user_info['email'] orderAddress = OrderShipAddress(request.form.get("firstName"), request.form.get("lastName"), request.form.get("address"), request.form.get("city"), request.form.get("state"), request.form.get("country"), request.form.get("zip")) orderBilling = OrderBillingInfo(request.form.get("cc-name"), request.form.get("cc-number"), 'visa', request.form.get("cc-expiration-month"), request.form.get("cc-expiration-year"), '1234') order = Order(None, None, orderAddress, orderBilling, None, None, None) #Post the order orderResponse = storefront.order(cartId, userId, order) session["just_submitted_order_id"] = orderResponse["orderId"] if "customer_cart_id" in session: del session['customer_cart_id'] if "guest_cart_id" in session: del session['guest_cart_id'] return redirect( url_for("ecommerce_views_bp.ecommerce_order_summary", _external="True", _scheme=session[SESSION_INSTANCE_SETTINGS_KEY]["app_scheme"], message="Order Complete", orderid=orderResponse["orderId"]))
def gbac_poll_for_push_verification(): logger.debug("gbac_poll_for_push_verification()") okta_auth = OktaAuth(session[SESSION_INSTANCE_SETTINGS_KEY]) body = request.get_json() factor_id = body["factor_id"] state_token = body["state_token"] response = okta_auth.send_push(factor_id, state_token) return json.dumps(response)
def poll_for_push_verification(): print("poll_for_push_verification()") okta_auth = OktaAuth(session) body = request.get_json() factor_id = body["factor_id"] state_token = body["state_token"] response = okta_auth.send_push(factor_id, state_token) return json.dumps(response)
def oidc_callback_handler(): """ handler for the oidc call back of the app """ logger.debug("oidc_callback_handler()") response = None logger.debug(request.form) has_app_level_mfa_policy = False if "code" in request.form: oidc_code = request.form["code"] okta_auth = OktaAuth(session[SESSION_INSTANCE_SETTINGS_KEY]) oauth_token = okta_auth.get_oauth_token( code=oidc_code, grant_type="authorization_code", auth_options={ "client_id": session[SESSION_INSTANCE_SETTINGS_KEY]["client_id"], "client_secret": session[SESSION_INSTANCE_SETTINGS_KEY]["client_secret"], }) logger.debug("oauth_token: {0}".format( json.dumps(oauth_token, indent=4, sort_keys=True))) app_landing_page_url = get_post_login_landing_page_url() response = make_response(redirect(app_landing_page_url)) okta_token_cookie = TokenUtil.create_encoded_okta_token_cookie( oauth_token["access_token"], oauth_token["id_token"]) # logger.debug("okta_token_cookie: {0}".format(okta_token_cookie)) response.set_cookie(TokenUtil.OKTA_TOKEN_COOKIE_KEY, okta_token_cookie) elif "error" in request.form: # This is in the case there is an Okta App level MFA policy logger.error("ERROR: {0}, MESSAGE: {1}".format( request.form["error"], request.form["error_description"])) if ("The client specified not to prompt, but the client app requires re-authentication or MFA." == request.form["error_description"]): has_app_level_mfa_policy = True # Error occured with Accessing the app instance if has_app_level_mfa_policy: error_message = "Failed to Authenticate. Please remove App Level MFA Policy and use a Global MFA Policy. Error: {0} - {1}".format( request.form["error"], request.form["error_description"]) response = gvalidation_bp_error(error_message) else: error_message = "Failed to Authenticate. Check to make sure the user has access to the application. Error: {0} - {1}".format( request.form["error"], request.form["error_description"]) response = gvalidation_bp_error(error_message) else: # catch all error response = gvalidation_bp_error( "Failed to Authenticate. Check to make sure the user has access to the application." ) return response
def verify_answer(): print("verify_answer()") okta_auth = OktaAuth(session) body = request.get_json() factor_id = body["factor_id"] state_token = body["state_token"] answer = body["answer"] response = okta_auth.verify_answer(factor_id, state_token, answer) return json.dumps(response)
def gbac_stepupauth_mfa(): logger.debug("gbac_stepupauth_mfa()") idtoken = request.form['id_token'] okta_auth = OktaAuth(session[SESSION_INSTANCE_SETTINGS_KEY]) test_token = okta_auth.introspect_mfa( idtoken, session[SESSION_INSTANCE_SETTINGS_KEY]["settings"] ["app_stepup_auth_clientid"]) return render_template("/mfa.html", templatename=get_app_vertical(), config=session[SESSION_INSTANCE_SETTINGS_KEY], idtoken=idtoken, test_token=test_token)
def is_token_valid_remote(token): print("is_token_valid_remote(token)") result = False okta_auth = OktaAuth(default_settings) instrospect_response = okta_auth.introspect(token=token) print("instrospect_response: {0}".format(instrospect_response)) if "active" in instrospect_response: result = instrospect_response["active"] return result
def gbac_verify_answer(): logger.debug("gbac_verify_answer()") okta_auth = OktaAuth(session[SESSION_INSTANCE_SETTINGS_KEY]) body = request.get_json() factor_id = body["factor_id"] state_token = body["state_token"] answer = body["answer"] response = okta_auth.verify_answer(factor_id, state_token, answer) return json.dumps(response)
def index(): """ handler for the root url path of the app """ print("index()") user = None modal_options = None state_token = request.args.get("stateToken") show_mfa_enroll = request.args.get("showMFAEnroll") show_bdv = request.args.get("showBDV") getNewTokenUrl = "" #print("state_token: {0}".format(state_token)) #print("show_mfa_enroll: {0}".format(state_token)) #print("show_bdv: {0}".format(state_token)) session["current_title"] = "{0} | {1} Home".format(session["base_title"], session["app_title"]) if (state_token): print("User needs to set credentials and prove who they are") okta_auth = OktaAuth(session) token_state = okta_auth.get_transaction_state(state_token) print("token_state: {0}".format( json.dumps(token_state, indent=4, sort_keys=True))) # Get user Claims from Id Token for signed in display if ("token" in request.cookies and "id_token" in request.cookies): id_token_claims = get_claims_from_token(request.cookies["id_token"]) if id_token_claims: if "sub" in id_token_claims: okta_admin = OktaAdmin(session) user = okta_admin.get_user(id_token_claims["sub"]) # print("user: {0}".format(user)) modal_options = get_modal_options(id_token_claims["sub"]) if not user: getNewTokenUrl = get_oauth_authorize_url() response = make_response( render_template("index.html", site_config=session, user=user, modal_options=modal_options, state_token=state_token, show_mfa_enroll=show_mfa_enroll, show_bdv=show_bdv, okta_widget_container_id="okta-login-container", getNewTokenUrl=getNewTokenUrl)) handle_invalid_tokens(session, response) return response
def streamingservice_revoketoken(): logger.debug("streamingservice_revoketoken()") client_id = session[SESSION_INSTANCE_SETTINGS_KEY]["settings"]["app_deviceflow_clientid"] client_secret = session[SESSION_INSTANCE_SETTINGS_KEY]["settings"]["app_deviceflow_clientsecret"] token = request.form['token'] tokenhint = request.form['tokenhint'] okta_auth = OktaAuth(session[SESSION_INSTANCE_SETTINGS_KEY]) okta_auth.revoke_token_with_clientid(token, client_id=client_id, client_secret=client_secret, token_type_hint=tokenhint) return "Completed"
def get_available_factors_by_state(state_token): """ Get all factors available by State Token """ print("get_available_factors_by_state()") okta_auth = OktaAuth(session[SESSION_INSTANCE_SETTINGS_KEY]) transaction_state = okta_auth.get_transaction_state(state_token) print("transaction_state: {0}".format( json.dumps(transaction_state, indent=4, sort_keys=True))) # available_factors = okta_admin.list_available_factors(transaction_state["_embedded"]["user"]["id"]) return json.dumps(transaction_state)
def verify_totp(): print("verify_totp()") okta_auth = OktaAuth(session) body = request.get_json() pass_code = None factor_id = body["factor_id"] state_token = body["state_token"] if "pass_code" in body: pass_code = body["pass_code"] print("verifying factor ID {0} with code {1} ({2})".format( factor_id, pass_code, state_token)) response = okta_auth.verify_totp(factor_id, state_token, pass_code) return json.dumps(response)
def resend_push(): print("resend_push()") body = request.get_json() factor_id = body["factor_id"] if "state_token" in body: okta_auth = OktaAuth(session) state_token = body["state_token"] response = okta_auth.resend_push(factor_id, state_token) else: okta_admin = OktaAdmin(session) user_id = body["user_id"] response = okta_admin.resend_push(user_id, factor_id) return json.dumps(response)
def poll_for_push_enrollment(): print("poll_for_push_enrollment()") body = request.get_json() factor_id = body["factor_id"] if "state_token" in body: state_token = body["state_token"] okta_auth = OktaAuth(session) response = okta_auth.poll_for_enrollment_push(factor_id, state_token) else: user_id = body["user_id"] okta_admin = OktaAdmin(session) response = okta_admin.poll_for_enrollment_push(user_id, factor_id) return json.dumps(response)
def gbac_resend_push(): logger.debug("gbac_resend_push()") body = request.get_json() factor_id = body["factor_id"] if "state_token" in body: okta_auth = OktaAuth(session[SESSION_INSTANCE_SETTINGS_KEY]) state_token = body["state_token"] response = okta_auth.resend_push(factor_id, state_token) else: okta_admin = OktaAdmin(session[SESSION_INSTANCE_SETTINGS_KEY]) user_id = body["user_id"] response = okta_admin.resend_push(user_id, factor_id) return json.dumps(response)
def gbac_verify_totp(): logger.debug("gbac_verify_totp()") okta_auth = OktaAuth(session[SESSION_INSTANCE_SETTINGS_KEY]) body = request.get_json() pass_code = None factor_id = body["factor_id"] state_token = body["state_token"] # get state with token if "pass_code" in body: pass_code = body["pass_code"] logger.debug("verifying factor ID {0} with code {1} ({2})".format(factor_id, pass_code, state_token)) response = okta_auth.verify_totp(factor_id, state_token, pass_code) return json.dumps(response)
def enroll_totp(): print("enroll_totp()") body = request.get_json() factor_type = body["factor_type"] provider = body["provider"] if "stateToken" in body: okta_auth = OktaAuth(session) state_token = body["state_token"] response = okta_auth.enroll_totp(state_token, factor_type, provider) else: okta_admin = OktaAdmin(session) user_id = body["user_id"] response = okta_admin.enroll_totp(user_id, factor_type, provider) return json.dumps(response)
def activate_totp(): print("activate_totp()") body = request.get_json() factor_id = body["factor_id"] pass_code = body["pass_code"] if "state_token" in body: okta_auth = OktaAuth(session) state_token = body["state_token"] response = okta_auth.activate_totp(factor_id, state_token, pass_code) else: okta_admin = OktaAdmin(session) user_id = body["user_id"] response = okta_admin.activate_totp(user_id, factor_id, pass_code) return json.dumps(response)
def is_admin(token): print("is_admin(token)") result = False okta_auth = OktaAuth(default_settings) check_admin = TokenUtil.get_single_claim_from_token(token,"taa") result = check_admin return result
def activate(user_id, okta_session_id): print("activate(user_id, okta_session_id)") activation_response = {} auth_response = make_response(redirect("/")) okta_admin = OktaAdmin(session) user = okta_admin.get_user(user_id) if user: activation_response = okta_admin.activate_user(user_id, send_email=False) print("activation_response: {0}".format( json.dumps(activation_response, indent=4, sort_keys=True))) if "okta_session_id": print("Clearing exsisting session") clear_session_response = okta_admin.close_session(okta_session_id) print("clear_session_response: {0}".format( json.dumps(clear_session_response, indent=4, sort_keys=True))) if "activationToken" in activation_response: okta_auth = OktaAuth(session) auth_response = okta_auth.authenticate_with_activation_token( activation_response["activationToken"]) # print("auth_response: {0}".format(json.dumps(auth_response, indent=4, sort_keys=True))) if "sessionToken" in auth_response: auth_response = login_token(auth_response["sessionToken"]) # status = MFA_ENROLL # status = PASSWORD_RESET elif "stateToken" in auth_response: if "MFA_ENROLL" == auth_response["status"]: auth_response = make_response( redirect("/?stateToken={0}&showMFAEnroll=true".format( auth_response["stateToken"]))) elif "PASSWORD_RESET" == auth_response["status"]: auth_response = make_response( redirect("/?stateToken={0}&showBDV=true".format( auth_response["stateToken"]))) else: auth_response = make_response( redirect("/?stateToken={0}".format( auth_response["stateToken"]))) return auth_response
def enroll_webauthn(): print("enroll_webauthn()") body = request.get_json() factor_type = body["factor_type"] provider = body["provider"] if "stateToken" in body: okta_auth = OktaAuth(session[SESSION_INSTANCE_SETTINGS_KEY]) state_token = body["state_token"] response = okta_auth.enroll_webauthn(state_token, factor_type, provider) else: okta_admin = OktaAdmin(session[SESSION_INSTANCE_SETTINGS_KEY]) user_id = body["user_id"] response = okta_admin.enroll_webauthn(user_id, factor_type, provider) return json.dumps(response)
def enroll_push(): print("enroll_push()") body = request.get_json() factor_type = body["factor_type"] provider = body["provider"] if "state_token" in body: # this is an enrollment during the authN process okta_auth = OktaAuth(session) state_token = body["state_token"] response = okta_auth.enroll_push(state_token, factor_type, provider) else: user_id = body["user_id"] okta_admin = OktaAdmin(session) response = okta_admin.enroll_push(user_id, factor_type, provider) return json.dumps(response)
def test(): print("test()") if ("token" in request.cookies): okta_auth = OktaAuth(session) introspection_results_json = okta_auth.introspect( token=request.cookies.get("token"), headers=request.headers) print("introspection_results_json: {0}".format( json.dumps(introspection_results_json, indent=4, sort_keys=True))) if "active" in introspection_results_json: if introspection_results_json["active"]: print("Token is Valid") else: print("Token is Invalid") else: print("Token is Invalid") return "TEST"
def get_authorize_url(): print("get_authorize_url()") okta_auth = OktaAuth(session) body = request.get_json() session_token = body["session_token"] session["state"] = str(uuid.uuid4()) oauth_authorize_url = get_oauth_authorize_url(session_token) response = {"authorize_url": oauth_authorize_url} return json.dumps(response)
def get_oauth_authorize_url(okta_session_token=None): print("get_oauth_authorize_url()") okta_auth = OktaAuth(session) auth_options = { "response_mode": "form_post", "prompt": "none", "scope": "openid profile email" } if "state" not in session: session["state"] = str(uuid.uuid4()) if okta_session_token: auth_options["sessionToken"] = okta_session_token oauth_authorize_url = okta_auth.create_oauth_authorize_url( response_type="code", state=session["state"], auth_options=auth_options) return oauth_authorize_url