def mfa_verification_poll(): print "mfa_verification_poll()" request_json = request.get_json() print "request_json: {0}".format( json.dumps(request_json, indent=4, sort_keys=True)) polling_url = request_json["pollingUrl"] user_name = request_json["userName"] okta_util = OktaUtil(request.headers, config.okta) response = okta_util.execute_get(polling_url, None) if "factorResult" in response: print "factorResult: {0}".format(response["factorResult"]) if response[ "factorResult"] == "SUCCESS": # Means the user successfully passed the factor, so reset the pasword okta_user_id = okta_util.get_user(user_name)["id"] password_reset_response = okta_util.reset_user_password( okta_user_id) print "password_reset_response: {0}".format( json.dumps(password_reset_response, indent=4, sort_keys=True)) response["ott"] = password_reset_response[ "resetPasswordUrl"].replace( "{0}/reset_password/".format(config.okta["org_host"]), "") return json.dumps(response)
def push_mfa_code(): print "push_mfa_code()" request_json = request.get_json() print "request_json: {0}".format(request_json) okta_util = OktaUtil(request.headers, config.okta) username = request_json["username"] factor_type = request_json["factorType"] code = None if "code" in request_json: code = request_json["code"] user = okta_util.get_user(username) # print "user: {0}".format(user, indent=4, sort_keys=True) response = { "status": "success", "message": "sent" } # alwasy send this down so a malicious user can not farm enrolled factors if ("id" in user): okta_user_id = user["id"] okta_factor_id = None enrolled_factors = okta_util.list_factors(okta_user_id) # print "enrolled_factors: {0}".format(json.dumps(enrolled_factors, indent=4, sort_keys=True)) for factor in enrolled_factors: # check factor type agains the enroled factor print "factor: {0}".format( json.dumps(factor, indent=4, sort_keys=True)) if (factor["factorType"] == factor_type and factor["provider"] == "OKTA") or (factor["provider"] == factor_type): okta_factor_id = factor["id"] print "okta_factor_id: {0}".format(okta_factor_id) if okta_factor_id: push_response = okta_util.push_factor_verification( okta_user_id, okta_factor_id, code) # print "push_response: {0}".format(json.dumps(push_response, indent=4, sort_keys=True)) # Check for a valid factor result if "factorResult" in push_response: response["factorResult"] = push_response["factorResult"] # check if there is a polling link to send back down to the client if "_links" in push_response: if "poll" in push_response["_links"]: response["pollingUrl"] = push_response["_links"][ "poll"]["href"] print "factorResult: {0}".format(push_response["factorResult"]) if push_response[ "factorResult"] == "SUCCESS": # Means the user successfully passed the factor, so reset the pasword password_reset_response = okta_util.reset_user_password( okta_user_id) print "password_reset_response: {0}".format( json.dumps(password_reset_response, indent=4, sort_keys=True)) response["ott"] = password_reset_response[ "resetPasswordUrl"].replace( "{0}/reset_password/".format( config.okta["org_host"]), "") else: response["status"] = "failed" response["message"] = push_response["errorSummary"] else: print "WARNING: User '{0}' not enrolled in factor: {1}".format( user["profile"]["login"], factor_type) else: print "WARNING: User '{0}' does not exsist in Okta".format(username) return json.dumps(response)