Skip to content

[v17] Okta: Fix creating Access Requests for legacy okta_service resources #54876

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
kopiczko merged 1 commit into from
May 19, 2025
Merged

[v17] Okta: Fix creating Access Requests for legacy okta_service resources #54876

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 16 additions & 7 deletions lib/auth/auth_with_roles_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5571,15 +5571,24 @@ func TestCreateAccessRequestV2_oktaReadOnly(t *testing.T) {
// 7. Run tests

t.Run("requesting okta resources but no okta plugin", func(t *testing.T) {
// Note: Okta-originated resources present in the cluster and no Okta plugin
// configured is the situation where the plugin was freshly deleted and the
// heartbeats for the Okta apps haven't expired yet. This is an edge-case so the
// error is a bit confusing.
// v18+ version:
/*
// Note: Okta-originated resources present in the cluster and no Okta plugin
// configured is the situation where the plugin was freshly deleted and the
// heartbeats for the Okta apps haven't expired yet. This is an edge-case so the
// error is a bit confusing.
for _, accessRequest := range testAccessRequests {
_, err := aliceClt.CreateAccessRequestV2(ctx, accessRequest)
require.Error(t, err)
require.True(t, trace.IsBadParameter(err))
require.ErrorContains(t, err, okta.OktaResourceNotRequestableError.Error())
}
*/

// v17 only - we need to support okta_service where no plugin exists:
for _, accessRequest := range testAccessRequests {
_, err := aliceClt.CreateAccessRequestV2(ctx, accessRequest)
require.Error(t, err)
require.True(t, trace.IsBadParameter(err))
require.ErrorContains(t, err, okta.OktaResourceNotRequestableError.Error())
require.NoError(t, err)
}
})

Expand Down
9 changes: 8 additions & 1 deletion lib/auth/okta/auth.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -102,7 +102,14 @@ func CheckAccess(authzCtx *authz.Context, existingResource types.ResourceWithLab
func BidirectionalSyncEnabled(ctx context.Context, plugins services.Plugins) (bool, error) {
plugin, err := oktaplugin.Get(ctx, plugins, false /* withSecrets */)
if trace.IsNotFound(err) {
return false, nil
// v17 only: since we still support the legacy okta_service configuration there is
// a chance someone will configure app & groups sync and will create roles allowing
// Access Requests. If this is false then resources allowed by search_as_roles
// won't be allowed because the access checker will think this is a RO integration
// because for okta_service configuration there is no plugin in the backend.
// The support for okta_service is dropped in v18 so we should return false there.
trueInV17 := true
return trueInV17, nil
} else if err != nil {
return false, trace.Wrap(err, "getting Okta plugin")
}
Expand Down
Loading