2/3 MFA options are broken in v2.0.0 release

[tmann-fuze]

I updated to v2.0.0 today and now MFA does not work for Push & SMS, however Verify (TOTP) still works.

If I rollback to 1.0.10, all three MFA options still work.

Here's my tests in v2.0.0.

Verify (TOTP) - WORKING

----snippet----
| => okta-aws test-okta-verify sts get-caller-identity
Username: myusername
Password:

Multi-Factor authentication is required. Please select a factor to use.
Factors:
[ 1 ] : Okta Verify (Push)
[ 2 ] : SMS Verification
[ 3 ] : Okta Verify (TOTP)
Selection: 3

OKTA Token Factor Authentication
Enter 'change factor' to use a different factor
Token:
646498

Please choose the role you would like to assume:
----snippet----

Verify (Push) - BROKEN

----snippet----
okta-aws test-okta-push sts get-caller-identity
Username: myusername
Password:

Multi-Factor authentication is required. Please select a factor to use.
Factors:
[ 1 ] : Okta Verify (TOTP)
[ 2 ] : SMS Verification
[ 3 ] : Okta Verify (Push)
Selection: 3

Push Factor Authentication
Exception in thread "main" org.json.JSONException: JSONObject["poll"] not found.
    at org.json.JSONObject.get(JSONObject.java:566)
    at org.json.JSONObject.getJSONObject(JSONObject.java:778)
    at com.okta.tools.authentication.OktaMFA.handlePushPolling(OktaMFA.java:293)
    at com.okta.tools.authentication.OktaMFA.verifyAnswer(OktaMFA.java:285)
    at com.okta.tools.authentication.OktaMFA.pushFactor(OktaMFA.java:242)
    at com.okta.tools.authentication.OktaMFA.getSessionToken(OktaMFA.java:103)
    at com.okta.tools.authentication.OktaMFA.promptForFactor(OktaMFA.java:64)
    at com.okta.tools.authentication.OktaAuthentication.getOktaSessionToken(OktaAuthentication.java:87)
    at com.okta.tools.saml.OktaSaml.getSamlResponse(OktaSaml.java:47)
    at com.okta.tools.OktaAwsCliAssumeRole.doRequest(OktaAwsCliAssumeRole.java:132)
    at com.okta.tools.OktaAwsCliAssumeRole.run(OktaAwsCliAssumeRole.java:102)
    at com.okta.tools.WithOkta.main(WithOkta.java:30)
----snippet----

SMS - BROKEN

----snippet----
okta-aws test-okta-sms sts get-caller-identity
Username: myusername
Password:

Multi-Factor authentication is required. Please select a factor to use.
Factors:
[ 1 ] : Okta Verify (TOTP)
[ 2 ] : SMS Verification
[ 3 ] : Okta Verify (Push)
Selection: 2

SMS Factor Authentication
Enter 'change factor' to use a different factor
Exception in thread "main" org.json.JSONException: JSONObject["sessionToken"] not found.
    at org.json.JSONObject.get(JSONObject.java:566)
    at org.json.JSONObject.getString(JSONObject.java:851)
    at com.okta.tools.authentication.OktaMFA.verifyAnswer(OktaMFA.java:287)
    at com.okta.tools.authentication.OktaMFA.smsFactor(OktaMFA.java:166)
    at com.okta.tools.authentication.OktaMFA.getSessionToken(OktaMFA.java:97)
    at com.okta.tools.authentication.OktaMFA.promptForFactor(OktaMFA.java:64)
    at com.okta.tools.authentication.OktaAuthentication.getOktaSessionToken(OktaAuthentication.java:87)
    at com.okta.tools.saml.OktaSaml.getSamlResponse(OktaSaml.java:47)
    at com.okta.tools.OktaAwsCliAssumeRole.doRequest(OktaAwsCliAssumeRole.java:132)
    at com.okta.tools.OktaAwsCliAssumeRole.run(OktaAwsCliAssumeRole.java:102)
    at com.okta.tools.WithOkta.main(WithOkta.java:30)
----snippet----

[AlainODea]

Thank you for your report. This is unanticipated. I will investigate.

[AlainODea]

An immediate workaround is OKTA_BROWSER_AUTH=true which delegates all authentication to an embedded browser.

I don't have access to Okta Push MFA or time to test SMS MFA. I use neither. A motivated developer who needs those MFA methods is encouraged to contribute a fix.

[atifrasheed79]

I am having the same problem after upgrade besides setting OKTA_BROWSER_AUTH=true in my ./okta/config.properties.

Multi-Factor authentication is required. Please select a factor to use.
Factors:
[ 1 ] : Okta Verify (TOTP)
[ 2 ] : Okta Verify (Push)
Selection: 2

Push Factor Authentication
Exception in thread "main" org.json.JSONException: JSONObject["poll"] not found.
at org.json.JSONObject.get(JSONObject.java:566)
at org.json.JSONObject.getJSONObject(JSONObject.java:778)
at com.okta.tools.authentication.OktaMFA.handlePushPolling(OktaMFA.java:293)
at com.okta.tools.authentication.OktaMFA.verifyAnswer(OktaMFA.java:285)
at com.okta.tools.authentication.OktaMFA.pushFactor(OktaMFA.java:242)
at com.okta.tools.authentication.OktaMFA.getSessionToken(OktaMFA.java:103)
at com.okta.tools.authentication.OktaMFA.promptForFactor(OktaMFA.java:64)
at com.okta.tools.authentication.OktaAuthentication.getOktaSessionToken(OktaAuthentication.java:87)
at com.okta.tools.saml.OktaSaml.getSamlResponse(OktaSaml.java:47)
at com.okta.tools.ListRoles.main(ListRoles.java:43)

[hecsalazar]

I submitted a PR to fix Browser and console problems:
#303

please try and test

[pschiffe]

@hecsalazar thank you for your PR!
@AlainODea could we get a new release with already merged fixes? v2.0.0 is currently unusable :-)

[AlainODea]

@pschiffe I’m not maintaining this anymore. Okta seems open to accepting a new community maintainer. #292

[pschiffe]

@AlainODea sorry, I missed that. Thanks for pointing it out :-)

[mraible]

I released 2.0.2 https://github.com/oktadeveloper/okta-aws-cli-assume-role/releases/tag/v2.0.2.

[douglaswth]

The 2.0.2 release does not seem to have fixed the issue with the Okta Verify (Push) method:

Multi-Factor authentication is required. Please select a factor to use.
Factors:
[ 1 ] : Okta Verify (Push)
[ 2 ] : SMS Verification
[ 3 ] : Google Authenticator
[ 4 ] : Okta Verify (TOTP)
Selection: 1

Push Factor Authentication
Exception in thread "main" org.json.JSONException: JSONObject["poll"] not found.
        at org.json.JSONObject.get(JSONObject.java:566)
        at org.json.JSONObject.getJSONObject(JSONObject.java:778)
        at com.okta.tools.authentication.OktaMFA.handlePushPolling(OktaMFA.java:293)
        at com.okta.tools.authentication.OktaMFA.verifyAnswer(OktaMFA.java:285)
        at com.okta.tools.authentication.OktaMFA.pushFactor(OktaMFA.java:242)
        at com.okta.tools.authentication.OktaMFA.getSessionToken(OktaMFA.java:103)
        at com.okta.tools.authentication.OktaMFA.promptForFactor(OktaMFA.java:64)
        at com.okta.tools.authentication.OktaAuthentication.getOktaSessionToken(OktaAuthentication.java:87)
        at com.okta.tools.saml.OktaSaml.getSamlResponse(OktaSaml.java:47)
        at com.okta.tools.OktaAwsCliAssumeRole.doRequest(OktaAwsCliAssumeRole.java:132)
        at com.okta.tools.OktaAwsCliAssumeRole.run(OktaAwsCliAssumeRole.java:102)
        at com.okta.tools.WithOkta.main(WithOkta.java:30)

[oaksenov]

there is still an issue with push notification.
Also, readme states to use Java 1.8, but POM.XML uses Java 11

[pschiffe]

I can confirm too, that this is still broken, with the same stack-trace.

[hecsalazar]

Hi @oaksenov I sent a PR to update the README to mention Java 11.
As for the MFA issues unfortunately my setup does not include those, so I haven't had the chance to reproduce and fix.
I you have the chance that might be a good thing.

[oaksenov]

@hecsalazar , let me know what I can do to help to troubleshoot.

[hecsalazar]

I guess you need to talk to your Okta admin to figure out a setup with push notifications for the account you use to test and reproduce. Unfortunately I can't give you more directions since I fixed the tool for AWS related work but kind of test is out of the scope of my current project. I'm not even part of the team responsible for Okta integration withing the company. Hector

…

On Mon, Jun 10, 2019 at 1:55 PM oaksenov ***@***.***> wrote: @hecsalazar <https://github.com/hecsalazar> , let me know what I can do to help to troubleshoot. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#284>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ACSBHDOAF4BMBNPWO4HYARLPZ2IQTANCNFSM4HAOH4RA> .