def loginMFA(): print "loginMFA()" okta_util = OktaUtil(request.headers) user = request.form["user"] pwd = request.form["password"] auth = okta_util.authenticate(username=user, password=pwd) try: session[okta_util.OKTA_SESSION_TOKEN_KEY] = auth["sessionToken"] user_id = auth["_embedded"]["user"]["id"] factors = okta_util.list_factors(user_id=user_id) factor_id = factors[0]["id"] push_factor_response = okta_util.push_factor_verification(user_id=user_id, factor_id=factor_id) except: session[okta_util.OKTA_SESSION_TOKEN_KEY] = None user_id = None push_factor_response = {"status":"FAILED", "message":"Authentication Failed"} return json.dumps(push_factor_response)
def push_multi_sms_mfa_code(): print "push_multi_sms_mfa_code()" has_valid_sms = False request_json = request.get_json() print "request_json: {0}".format(request_json) user_name = request_json["username"] selected_sms_number = request_json["smsNumber"] okta_util = OktaUtil(request.headers, config.okta) user = okta_util.get_user(user_name) # print "user: {0}".format(json.dumps(user, indent=4, sort_keys=True)) response = { "status": "success", "message": "sent" } # alwasy send this down so a malicious user can not farm enrolled factors if ("id" in user): okta_user_id = user["id"] okta_factor_id = None # 1) Verify Phone Number is valid in list if "profile" in user: if config.okta["multi_sms_allowed_numbers"] in user["profile"]: if selected_sms_number in user["profile"][ config.okta["multi_sms_allowed_numbers"]]: has_valid_sms = True # 2) Enroll or re-enroll number enrolled_factors = okta_util.list_factors(okta_user_id) print "enrolled_factors: {0}".format( json.dumps(enrolled_factors, indent=4, sort_keys=True)) for factor in enrolled_factors: # check factor type agains the enroled factor if (factor["factorType"] == "sms"): okta_factor_id = factor["id"] break if okta_factor_id: unenroll_factor_response = okta_util.unenroll_factor( okta_user_id, okta_factor_id) # print "unenroll_factor_response: {0}".format(json.dumps(unenroll_factor_response, indent=4, sort_keys=True)) print "selected_sms_number: {0}".format(selected_sms_number) factor_createion_response = okta_util.create_sms_factor( okta_user_id, selected_sms_number) okta_factor_id = factor_createion_response["id"] print "factor_createion_response: {0}".format( json.dumps(factor_createion_response, indent=4, sort_keys=True)) if "_links" in factor_createion_response: if "verify" in factor_createion_response["_links"]: verify_url = factor_createion_response["_links"]["verify"][ "href"] push_factor_response = okta_util.factor_verification( verify_url, None) response["verifyUrl"] = verify_url elif "activate" in factor_createion_response["_links"]: verify_url = factor_createion_response["_links"]["activate"][ "href"] push_factor_response = okta_util.factor_verification( verify_url, None) response["verifyUrl"] = verify_url #push_factor_response = okta_util.push_factor_verification(okta_user_id, okta_factor_id) print "okta_factor_id: {0}".format(okta_factor_id) print "factor_createion_response: {0}".format( json.dumps(factor_createion_response, indent=4, sort_keys=True)) else: print "WARNING: User '{0}' does not exsist in Okta".format(user_name) return json.dumps(response)
def push_mfa_code(): print "push_mfa_code()" request_json = request.get_json() print "request_json: {0}".format(request_json) okta_util = OktaUtil(request.headers, config.okta) username = request_json["username"] factor_type = request_json["factorType"] code = None if "code" in request_json: code = request_json["code"] user = okta_util.get_user(username) # print "user: {0}".format(user, indent=4, sort_keys=True) response = { "status": "success", "message": "sent" } # alwasy send this down so a malicious user can not farm enrolled factors if ("id" in user): okta_user_id = user["id"] okta_factor_id = None enrolled_factors = okta_util.list_factors(okta_user_id) # print "enrolled_factors: {0}".format(json.dumps(enrolled_factors, indent=4, sort_keys=True)) for factor in enrolled_factors: # check factor type agains the enroled factor print "factor: {0}".format( json.dumps(factor, indent=4, sort_keys=True)) if (factor["factorType"] == factor_type and factor["provider"] == "OKTA") or (factor["provider"] == factor_type): okta_factor_id = factor["id"] print "okta_factor_id: {0}".format(okta_factor_id) if okta_factor_id: push_response = okta_util.push_factor_verification( okta_user_id, okta_factor_id, code) # print "push_response: {0}".format(json.dumps(push_response, indent=4, sort_keys=True)) # Check for a valid factor result if "factorResult" in push_response: response["factorResult"] = push_response["factorResult"] # check if there is a polling link to send back down to the client if "_links" in push_response: if "poll" in push_response["_links"]: response["pollingUrl"] = push_response["_links"][ "poll"]["href"] print "factorResult: {0}".format(push_response["factorResult"]) if push_response[ "factorResult"] == "SUCCESS": # Means the user successfully passed the factor, so reset the pasword password_reset_response = okta_util.reset_user_password( okta_user_id) print "password_reset_response: {0}".format( json.dumps(password_reset_response, indent=4, sort_keys=True)) response["ott"] = password_reset_response[ "resetPasswordUrl"].replace( "{0}/reset_password/".format( config.okta["org_host"]), "") else: response["status"] = "failed" response["message"] = push_response["errorSummary"] else: print "WARNING: User '{0}' not enrolled in factor: {1}".format( user["profile"]["login"], factor_type) else: print "WARNING: User '{0}' does not exsist in Okta".format(username) return json.dumps(response)