def loginMFA():
print "loginMFA()"
okta_util = OktaUtil(request.headers)
user = request.form["user"]
pwd = request.form["password"]
auth = okta_util.authenticate(username=user, password=pwd)
try:
session[okta_util.OKTA_SESSION_TOKEN_KEY] = auth["sessionToken"]
user_id = auth["_embedded"]["user"]["id"]
factors = okta_util.list_factors(user_id=user_id)
factor_id = factors[0]["id"]
push_factor_response = okta_util.push_factor_verification(user_id=user_id, factor_id=factor_id)
except:
session[okta_util.OKTA_SESSION_TOKEN_KEY] = None
user_id = None
push_factor_response = {"status":"FAILED", "message":"Authentication Failed"}
return json.dumps(push_factor_response)
def push_multi_sms_mfa_code():
print "push_multi_sms_mfa_code()"
has_valid_sms = False
request_json = request.get_json()
print "request_json: {0}".format(request_json)
user_name = request_json["username"]
selected_sms_number = request_json["smsNumber"]
okta_util = OktaUtil(request.headers, config.okta)
user = okta_util.get_user(user_name)
# print "user: {0}".format(json.dumps(user, indent=4, sort_keys=True))
response = {
"status": "success",
"message": "sent"
} # alwasy send this down so a malicious user can not farm enrolled factors
if ("id" in user):
okta_user_id = user["id"]
okta_factor_id = None
# 1) Verify Phone Number is valid in list
if "profile" in user:
if config.okta["multi_sms_allowed_numbers"] in user["profile"]:
if selected_sms_number in user["profile"][
config.okta["multi_sms_allowed_numbers"]]:
has_valid_sms = True
# 2) Enroll or re-enroll number
enrolled_factors = okta_util.list_factors(okta_user_id)
print "enrolled_factors: {0}".format(
json.dumps(enrolled_factors, indent=4, sort_keys=True))
for factor in enrolled_factors:
# check factor type agains the enroled factor
if (factor["factorType"] == "sms"):
okta_factor_id = factor["id"]
break
if okta_factor_id:
unenroll_factor_response = okta_util.unenroll_factor(
okta_user_id, okta_factor_id)
# print "unenroll_factor_response: {0}".format(json.dumps(unenroll_factor_response, indent=4, sort_keys=True))
print "selected_sms_number: {0}".format(selected_sms_number)
factor_createion_response = okta_util.create_sms_factor(
okta_user_id, selected_sms_number)
okta_factor_id = factor_createion_response["id"]
print "factor_createion_response: {0}".format(
json.dumps(factor_createion_response, indent=4, sort_keys=True))
if "_links" in factor_createion_response:
if "verify" in factor_createion_response["_links"]:
verify_url = factor_createion_response["_links"]["verify"][
"href"]
push_factor_response = okta_util.factor_verification(
verify_url, None)
response["verifyUrl"] = verify_url
elif "activate" in factor_createion_response["_links"]:
verify_url = factor_createion_response["_links"]["activate"][
"href"]
push_factor_response = okta_util.factor_verification(
verify_url, None)
response["verifyUrl"] = verify_url
#push_factor_response = okta_util.push_factor_verification(okta_user_id, okta_factor_id)
print "okta_factor_id: {0}".format(okta_factor_id)
print "factor_createion_response: {0}".format(
json.dumps(factor_createion_response, indent=4, sort_keys=True))
else:
print "WARNING: User '{0}' does not exsist in Okta".format(user_name)
return json.dumps(response)
def push_mfa_code():
print "push_mfa_code()"
request_json = request.get_json()
print "request_json: {0}".format(request_json)
okta_util = OktaUtil(request.headers, config.okta)
username = request_json["username"]
factor_type = request_json["factorType"]
code = None
if "code" in request_json:
code = request_json["code"]
user = okta_util.get_user(username)
# print "user: {0}".format(user, indent=4, sort_keys=True)
response = {
"status": "success",
"message": "sent"
} # alwasy send this down so a malicious user can not farm enrolled factors
if ("id" in user):
okta_user_id = user["id"]
okta_factor_id = None
enrolled_factors = okta_util.list_factors(okta_user_id)
# print "enrolled_factors: {0}".format(json.dumps(enrolled_factors, indent=4, sort_keys=True))
for factor in enrolled_factors:
# check factor type agains the enroled factor
print "factor: {0}".format(
json.dumps(factor, indent=4, sort_keys=True))
if (factor["factorType"] == factor_type
and factor["provider"] == "OKTA") or (factor["provider"]
== factor_type):
okta_factor_id = factor["id"]
print "okta_factor_id: {0}".format(okta_factor_id)
if okta_factor_id:
push_response = okta_util.push_factor_verification(
okta_user_id, okta_factor_id, code)
# print "push_response: {0}".format(json.dumps(push_response, indent=4, sort_keys=True))
# Check for a valid factor result
if "factorResult" in push_response:
response["factorResult"] = push_response["factorResult"]
# check if there is a polling link to send back down to the client
if "_links" in push_response:
if "poll" in push_response["_links"]:
response["pollingUrl"] = push_response["_links"][
"poll"]["href"]
print "factorResult: {0}".format(push_response["factorResult"])
if push_response[
"factorResult"] == "SUCCESS": # Means the user successfully passed the factor, so reset the pasword
password_reset_response = okta_util.reset_user_password(
okta_user_id)
print "password_reset_response: {0}".format(
json.dumps(password_reset_response,
indent=4,
sort_keys=True))
response["ott"] = password_reset_response[
"resetPasswordUrl"].replace(
"{0}/reset_password/".format(
config.okta["org_host"]), "")
else:
response["status"] = "failed"
response["message"] = push_response["errorSummary"]
else:
print "WARNING: User '{0}' not enrolled in factor: {1}".format(
user["profile"]["login"], factor_type)
else:
print "WARNING: User '{0}' does not exsist in Okta".format(username)
return json.dumps(response)
