Skip to content
This repository has been archived by the owner on May 18, 2021. It is now read-only.

feat: Persist device token cookie in keystore to prevent repeated MFA prompt #259

Merged
merged 2 commits into from
Dec 17, 2019

Conversation

sdann
Copy link
Contributor

@sdann sdann commented Dec 9, 2019

Overview

Based on @Chippiewill PR #213

When using MFA, Okta expects the device token cookie DT in addition to
the session ID cookie sid. If MFA is required in the Okta app and this
cookie is not sent the session fails. This causes aws-okta to go
through the entire authentication flow again, eliminating any benefits
of session caching.

This change persists the device token the same way as the session ID.

I've kept the existing API identical, adding new function calls that
take an OktaCookies struct.

Testing

Manual testing with Push notification and Okta AWS application setup to require MFA "Per Session" and "Once per Day".

With both patches in place, the Okta session is successfully reused, without MFA prompt, to create new AWS STS tokens when the previous STS token is expired.

sdann added 2 commits December 9, 2019 11:11
Based on @Chippiewill PR segmentio#213

When using MFA, Okta expects the device token cookie `DT` in addition to
the session ID cookie `sid`. If MFA is required in the Okta app and this
cookie is not sent the session fails. This causes `aws-okta` to go
through the entire authentication flow again, eliminating any benefits
of session caching.

This change persists the device token the same way as the session ID.

I've kept the existing API identical, adding new function calls that
take a OktaCookies struct.
Ask the server to remember MFA was entered. The Okta application decides
how long.

This prevents MFA from being requested on every request to Okta.

Fix Issue segmentio#257.
@sdann
Copy link
Contributor Author

sdann commented Dec 11, 2019

@nickatsegment any feedback on this PR?

Copy link
Contributor

@nickatsegment nickatsegment left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NewOktaClient2 is not especially cool, but I'm doing a big refactor, so will fix there.

@nickatsegment nickatsegment merged commit 18e92f7 into segmentio:master Dec 17, 2019
@sdann sdann deleted the mfa-prompts2 branch December 17, 2019 21:55
dkujawski added a commit to dkujawski/aws-okta that referenced this pull request Jan 31, 2020
dkujawski added a commit to dkujawski/aws-okta that referenced this pull request Feb 19, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants