okta / okta-auth-java Goto Github PK
View Code? Open in Web Editor NEWokta-auth-java
Home Page: https://github.com/okta/okta-auth-java
License: Apache License 2.0
okta-auth-java
Home Page: https://github.com/okta/okta-auth-java
License: Apache License 2.0
Would like to have @nullable and @NotNull annotations so when using the SDK with Kotlin would not need to use nullable params in the AuthenticationStateHandler implementation to ensure that it is truly non null.
When using Kotlin and implementing AuthenticationStateHandler interface would tell if AuthenticationResponse is nullable or non null for sure.
What should have happened?
Please provide log or error messages if applicable.
Use Kotlin and create an implementation of the interface.
2.0.0
ℹ️ If you have a question, please post it on the Okta Developer Forum instead. Issues in this repository are reserved for bug reports and feature requests only.
We use a gateway that monitors the traffic to the actual login APIs to block malicious actors. When that happens, the call returns as an HTTP 4xx error with no payload.
But OKTA SDK expects to always have a payload with errorCode
when a failure is encountered, so DefaultAuthenticationClient.translateException()
will throw a NullPointerException
The SDK should gracefully handle the no-payload scenario and ideally returns the HTTP code so the app can handle it appropriately (e.g. logs the user out if it's blocked by the gateway for security reasons, show an error message if it's HTTP 500, etc)
See Background info
NullPointerException
is thrown by AuthenticationClient.authenticate()
2.0.2
Getting following exception when migrating to okta-sdk-java 2.0.
<okta.version>2.0.0</okta.version>
<okta.auth.version>1.0.0</okta.auth.version>
Caused by: java.lang.NoClassDefFoundError: com/okta/sdk/lang/Classes
at com.okta.authn.sdk.client.AuthenticationClients.builder(AuthenticationClients.java:43) ~[okta-authn-sdk-api-1.0.0.jar:1.0.0]
at com.example.demo.OktaClientService.setup(OktaClientService.java:81) ~[classes/:na]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_241]
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) ~[na:1.8.0_241]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) ~[na:1.8.0_241]
at java.lang.reflect.Method.invoke(Unknown Source) ~[na:1.8.0_241]
When I use okta-sdk-api:10.0.0 with okta-authn-sdk-api:2.0.9, It's failing to create AuthenticationClient object due to missing BaseClient class in okta-sdk-api:10.0.0.
Stacktrace:
java.lang.NoClassDefFoundError: com/okta/sdk/impl/client/BaseClient
at java.base/java.lang.ClassLoader.defineClass1(Native Method)
at java.base/java.lang.ClassLoader.defineClass(ClassLoader.java:1012)
at java.base/java.security.SecureClassLoader.defineClass(SecureClassLoader.java:150)
at java.base/jdk.internal.loader.BuiltinClassLoader.defineClass(BuiltinClassLoader.java:862)
at java.base/jdk.internal.loader.BuiltinClassLoader.findClassOnClassPathOrNull(BuiltinClassLoader.java:760)
at java.base/jdk.internal.loader.BuiltinClassLoader.loadClassOrNull(BuiltinClassLoader.java:681)
at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:639)
at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:188)
at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:520)
at com.okta.authn.sdk.impl.client.DefaultAuthenticationClientBuilder.build(DefaultAuthenticationClientBuilder.java:212)
For some reason com.okta.sdk.ds.DataStore#instantiate
method cannot do work for DefaultAuthenticationResponse
resource.
Error:
java.lang.NoSuchMethodException: com.okta.authn.sdk.impl.resource.DefaultAuthenticationResponse.<init>(com.okta.sdk.impl.ds.InternalDataStore)
We found an issue where we attempted to create OIDC access tokens for several users in our account, but when we use these access tokens to get the user's profile information it always returns the same user info for the first user we authenticate using the AuthenticationClient. We create a session token using the following command:
private String createSession(User user) {
AuthenticationResponse loginResponse = AuthenticationClients.builder()
.setOrgUrl(OKTA_ORG_URL)
.build()
.authenticate(user.getEmail(), user.getPassword(), null, null);
if (AuthenticationStatus.SUCCESS.equals(loginResponse.getStatus())) {
return loginResponse.getSessionToken();
}
}
We call this function for several of our Okta users, we then use these session tokens to generate access tokens using the /oauth2/v1/authorize
endpoint, the access tokens are successfully generated, and we can call the /oauth2/v1/userinfo
endpoint with each access token to get back user info, but every access token always returns the same user profile, and it is always returns whomever the first user was to have a session token generated for them (we confirmed this by testing several different permutations).
We fixed our issue by pivoting away from the AuthenticationClient and just calling the /api/v1/authn
endpoint directly, and our access tokens now return the expected user profiles. Not sure if others have experienced this issue, but we didn't see any previous issue created for this. We tried referencing the Java Docs for the AuthenticationClientBuilder here: https://developer.okta.com/okta-auth-java/development/apidocs/index.html?com/okta/authn/sdk/client/AuthenticationClientBuilder.html
which makes a reference to a caching section:
"Understanding caching is extremely important when creating a AuthenticationClient instance, so please ensure you read the Caching section below."
However, that section appears to be missing from the docs so we were unable to determine if there was a configuration issue we were missing on our end.
When I updated okta-sdk-okhttp version to 1.6.0 application crashing.
implementation "com.okta.sdk:okta-sdk-okhttp:1.6.0"
Logs:
Caused by: java.lang.NoSuchFieldError: No static field INSTANCE of type Lorg/apache/http/conn/ssl/AllowAllHostnameVerifier; in class Lorg/apache/http/conn/ssl/AllowAllHostnameVerifier; or its superclasses (declaration of 'org.apache.http.conn.ssl.AllowAllHostnameVerifier' appears in /system/framework/framework.jar!classes3.dex)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.<clinit>(SSLConnectionSocketFactory.java:149)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.getSocketFactory(SSLConnectionSocketFactory.java:183)
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.getDefaultRegistry(PoolingHttpClientConnectionManager.java:115)
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.<init>
I didn't get proper documentation with this latest version, Can you please help to resolve this.
@arvindkrishnakumar-okta Thank you for adding this change in the latest OKTA release. I was implementing this change on our end and noticed that the key
while fetching the rawFactor
is incorrect. Instead of NESTED__FACTORS_PROPERTY
(factors) it should be NESTED__FACTOR_PROPERTY
(factor). I have attached a screenshot of the response for your reference. If needed I can make the change and create a new PR if you think this is correct.
Originally posted by @PreetamPatil in #87 (comment)
Hello ,
I am trying to mfa enrollement for a new user , the method take parameters are availables fro factor ans state token but cant get FactorProfile .
regards
get FACTOR PROFILE
not able to get FactorProfile
enrollement sms and email
No response
1.2.1
:1.2.1
Issue
When a user status is set to locked_out. The authenticationClient.authenticate() does not return the locked_out status. The following account statuses are being returned:
MFA_ENROLL
MFA_CHALLENGE
MFA_REQUIRED
PASSWORD_EXPIRED
Note: There could be other statuses that are not being returned but I have not tested them yet.
AuthenticationRequest AuthenticationRequest = authenticationClient.instantiate(AuthenticationRequest.class);
AuthenticationRequest.setUsername(user.getUsername());
AuthenticationRequest.setPassword(user.getPassword().toCharArray());
AuthenticationRequest.setContext(deviceToken);
authenticationResponse = authenticationClient.authenticate(AuthenticationRequest,requestContext, ignoringStateHandler);
System.out.println("Get Auth response from: ------> " + authenticationResponse.getStatusString()); //LOCKED_OUT status is not returned
Locked_out status
The authenticationResponse returns an authentication failure
AuthenticationRequest AuthenticationRequest = authenticationClient.instantiate(AuthenticationRequest.class);
AuthenticationRequest.setUsername(user.getUsername());
AuthenticationRequest.setPassword(user.getPassword().toCharArray());
AuthenticationRequest.setContext(deviceToken);
authenticationResponse = authenticationClient.authenticate(AuthenticationRequest,requestContext, ignoringStateHandler);
System.out.println("Get Auth response from: ------> " + authenticationResponse.getStatusString()); //LOCKED_OUT status is not returned
No response
java version "1.8.0_291"
Java(TM) SE Runtime Environment (build 1.8.0_291-b10)
Java HotSpot(TM) 64-Bit Server VM (build 25.291-b10, mixed mode)
1.8
No response
Hi Team,
I am looking to authenticate staged user. The use case, we have of an existing applications where we are moving away from current IDP to Okta. We have flow like below;
Please guide, if we are doing something wrong here.
Vivek Bedekar
ℹ️ If you have a question, please post it on the Okta Developer Forum instead. Issues in this repository are reserved for bug reports and feature requests only.
I am using this SDK to implement a custom login experience on Android devices. I have noticed that the AuthenticationException's localizedMessage property does not seem to adhere to the device locale. This means that I cannot provide localized error messages to my French users when they, say, enter in an invalid MFA code. Our iOS developer that is building the iOS equivalent indicated that the SDK they are using does seem to return localized French messages for the corresponding calls, so I believe that translations should be available.
I have dug through the documentation for building a custom UI and found no reference regarding how to set locale:
https://developer.okta.com/docs/guides/build-custom-ui-mobile/android/main/
Is there a way to explicitly set the locale for the library?
On an Android device set to use a French locale, after calling the AuthenticationClient verifyFactor method using an incorrect MFA code, I should receive a FormValidationException error back with a localizedMessage like "Mot de passe invalide" (<-- Just an example, I used Google translate to get a someone related string).
localizedMessages still appear to be returned in English ("Invalid Passcode/Answer") even if the Android device is set to French.
2.0.0
What is the correct way of making the following call via the auth sdk?
curl -v -X POST \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "Authorization: SSWS ${api_token}" \
-H "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36" \
-d '{
"username": "[email protected]"
}' "https://${yourOktaDomain}/api/v1/authn/recovery/password"
The 3 approaches below all result in com.okta.sdk.resource.ResourceException: HTTP 403, Okta E0000006 (You do not have permission to perform the requested action), ErrorId oaeKo877F3cSvuSpMIaOBx60g
1
AuthenticationResponse authResponse = authenticationClient.recoverPassword("[email protected]", null, null, null);
2
AuthenticationResponse authResponse = authenticationClient.recoverPassword(authenticationClient
.instantiate(RecoverPasswordRequest.class)
.setUsername("[email protected]"), null);
3
ExtensibleResource body = authenticationClient.instantiate(ExtensibleResource.class);
body.put("username", "[email protected]");
AuthenticationResponse authResponse = authenticationClient
.getDataStore().http().setBody(body).post("/api/v1/authn/recovery/password",
AuthenticationResponse.class);
Hey everyone
I am using the 2.0 version of the okta auth java sdk and I noticed that when using the verifyFactor method on the authentication client, I will get a Resource Exception thrown when the user gets locked out from too many incorrect passcode attempts for an MFA (tested this with the SMS MFA).
I believe the verifyFactor method is only supposed to throw an AuthenticationException, so I think what may be happening is the Resource exception is being thrown before being constructed into AuthenticationException.
To test I did:
ℹ️ If you have a question, please post it on the Okta Developer Forum instead. Issues in this repository are reserved for bug reports and feature requests only.
authenticationClient.authenticate(..) function call brings crash
please let me know what OKHTTP client version you are using.I think its about compatibility
Okta authentication call crashes
Process: ai.scylla.mobilereporter, PID: 9196 java.lang.NoClassDefFoundError: Failed resolution of: Lokhttp3/internal/Util; at com.okta.commons.http.okhttp.OkHttpRequestExecutor$InputStreamRequestBody.writeTo(OkHttpRequestExecutor.java:230) at okhttp3.internal.http.CallServerInterceptor.intercept(CallServerInterceptor.kt:62) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109) at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.kt:34) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109) at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.kt:96) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109) at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.kt:83) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109) at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.kt:75) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109) at okhttp3.internal.connection.RealCall.getResponseWithInterceptorChain$okhttp(RealCall.kt:205) at okhttp3.internal.connection.RealCall.execute(RealCall.kt:158) at com.okta.commons.http.okhttp.OkHttpRequestExecutor.executeRequest(OkHttpRequestExecutor.java:164) at com.okta.commons.http.RetryRequestExecutor.doExecuteRequest(RetryRequestExecutor.java:147) at com.okta.commons.http.RetryRequestExecutor.executeRequest(RetryRequestExecutor.java:120) at com.okta.sdk.impl.ds.DefaultDataStore.execute(DefaultDataStore.java:469) at com.okta.sdk.impl.ds.DefaultDataStore.lambda$save$3$com-okta-sdk-impl-ds-DefaultDataStore(DefaultDataStore.java:343) at com.okta.sdk.impl.ds.DefaultDataStore$$ExternalSyntheticLambda2.filter(Unknown Source:8) at com.okta.sdk.impl.ds.DefaultFilterChain.filter(DefaultFilterChain.java:47) at com.okta.sdk.impl.ds.DefaultDataStore.save(DefaultDataStore.java:375) at com.okta.sdk.impl.ds.DefaultDataStore.create(DefaultDataStore.java:264) at com.okta.authn.sdk.impl.client.DefaultAuthenticationClient.doPost(DefaultAuthenticationClient.java:306) at com.okta.authn.sdk.impl.client.DefaultAuthenticationClient.authenticate(DefaultAuthenticationClient.java:83) at com.okta.authn.sdk.client.AuthenticationClient.authenticate(AuthenticationClient.java:108) at com.okta.authn.sdk.impl.client.DefaultAuthenticationClient.authenticate(DefaultAuthenticationClient.java:74) at ai.scylla.authentication.okta.OktaAuthManagerImpl$authenticateUser$2.invokeSuspend(OktaAuthManagerImpl.kt:545) at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33) at kotlinx.coroutines.DispatchedTask.run(DispatchedTask.kt:106) at kotlinx.coroutines.internal.LimitedDispatcher.run(LimitedDispatcher.kt:39) at kotlinx.coroutines.scheduling.TaskImpl.run(Tasks.kt:95) at kotlinx.coroutines.scheduling.CoroutineScheduler.runSafely(CoroutineScheduler.kt:571) at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.executeTask(CoroutineScheduler.kt:750) at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.runWorker(CoroutineScheduler.kt:678) at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.run(CoroutineScheduler.kt:665) Caused by: java.lang.ClassNotFoundException: Didn't find class "okhttp3.internal.Util" on path: DexPathList[[zip file "/data/app/~~6MYmHTIXKEfKgloVxwXjwg==/ai.scylla.mobilereporter-R9hTKzmgRZZ8D9yRC0pFeg==/base.apk"],nativeLibraryDirectories=[/data/app/~~6MYmHTIXKEfKgloVxwXjwg==/ai.scylla.mobilereporter-R9hTKzmgRZZ8D9yRC0pFeg==/lib/arm64, /system/lib64, /system_ext/lib64]] at dalvik.system.BaseDexClassLoader.findClass(BaseDexClassLoader.java:218) at java.lang.ClassLoader.loadClass(ClassLoader.java:379) at java.lang.ClassLoader.loadClass(ClassLoader.java:312) at com.okta.commons.http.okhttp.OkHttpRequestExecutor$InputStreamRequestBody.writeTo(OkHttpRequestExecutor.java:230) at okhttp3.internal.http.CallServerInterceptor.intercept(CallServerInterceptor.kt:62) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109) at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.kt:34) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109) at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.kt:96) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109) at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.kt:83) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109) at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.kt:75) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109) at okhttp3.internal.connection.RealCall.getResponseWithInterceptorChain$okhttp(RealCall.kt:205) at okhttp3.internal.connection.RealCall.execute(RealCall.kt:158) at com.okta.commons.http.okhttp.OkHttpRequestExecutor.executeRequest(OkHttpRequestExecutor.java:164) at com.okta.commons.http.RetryRequestExecutor.doExecuteRequest(RetryRequestExecutor.java:147) at com.okta.commons.http.RetryRequestExecutor.executeRequest(RetryRequestExecutor.java:120) at com.okta.sdk.impl.ds.DefaultDataStore.execute(DefaultDataStore.java:469) at com.okta.sdk.impl.ds.DefaultDataStore.lambda$save$3$com-okta-sdk-impl-ds-DefaultDataStore(DefaultDataStore.java:343) at com.okta.sdk.impl.ds.DefaultDataStore$$ExternalSyntheticLambda2.filter(Unknown Source:8) at com.okta.sdk.impl.ds.DefaultFilterChain.filter(DefaultFilterChain.java:47) at com.okta.sdk.impl.ds.DefaultDataStore.save(DefaultDataStore.java:375) at com.okta.sdk.impl.ds.DefaultDataStore.create(DefaultDataStore.java:264) at com.okta.authn.sdk.impl.client.DefaultAuthenticationClient.doPost(DefaultAuthenticationClient.java:306) at com.okta.authn.sdk.impl.client.DefaultAuthenticationClient.authenticate(DefaultAuthenticationClient.java:83) at com.okta.authn.sdk.client.AuthenticationClient.authenticate(AuthenticationClient.java:108) at com.okta.authn.sdk.impl.client.DefaultAuthenticationClient.authenticate(DefaultAuthenticationClient.java:74) at ai.scylla.authentication.okta.OktaAuthManagerImpl$authenticateUser$2.invokeSuspend(OktaAuthManagerImpl.kt:545) at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33) at kotlinx.coroutines.DispatchedTask.run(DispatchedTask.kt:106) at kotlinx.coroutines.internal.LimitedDispatcher.run(LimitedDispatcher.kt:39) at kotlinx.coroutines.scheduling.TaskImpl.run(Tasks.kt:95) at kotlinx.coroutines.scheduling.CoroutineScheduler.runSafely(CoroutineScheduler.kt:571) at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.executeTask(CoroutineScheduler.kt:750) at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.runWorker(CoroutineScheduler.kt:678) at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.run(CoroutineScheduler.kt:665)
It would be helpful if there was an AuthenticationBuilder
, similar to the UserBuilder
of the okta-sdk-api
.
If one wants to create an authentication proxy or broker application, they need to craft their own AuthenticationRequest
with a context (deviceToken) and options. So, the client.authenticate(username, password, relayState, handler)
method doesn't cut it.
Also, I believe we'd need a way to set the User-Agent
and X-Forwarded-For
headers on each request. (Perhaps this should be a separate issue.)
ℹ️ If you have a question, please post it on the Okta Developer Forum instead. Issues in this repository are reserved for bug reports and feature requests only.
Describe your issue or request here (if necessary).
The latest version 2.0.11 of this library does not support okta-sdk-java 13.x.x. The library depends on an unsupported okta-sdk-java 8.2.5.
What should have happened?
The library should support the latest okta-sdk-java and other Okta SDKs if any.
Please provide log or error messages if applicable.
If the current behavior is a bug, please provide the steps to reproduce and a minimal demo if possible.
okta-authn-java 2.0.11
In my application, we are using OKTA login with MFA factor (PUSH) and I want to add an extra security check correct answer feature in that. Trying to fetch "correctAnswer" from "AuthenticationResponse" but unfortunately, it's throwing an error as Error: "Unresolved reference: correctAnswer"
val oktaAuthStatus = loginResponse?.authData as? AuthenticationResponse
val oktaVerifyNumber = oktaAuthStatus?.correctAnswer
okta_sdk_Api = "2.0.0"
okta_sdk_impl = "2.0.0"
okta_sdk_okhttp = "2.0.0"
First, thank you for updating the library to support headers for proxy clients! I think the implementation is close to complete, but I did notice a minor annoyance. Details follow:
OBSERVED:
EXPECTED: The user should only have to MFA the first login attempt and once correctly passed MFA should not see MFA each and every login
Instead of passing a Header.xDeviceFingerprint(deviceFingerprint) to authenticate() as a RequestContext parameter, pass deviceFingerprint as part of the AuthenticationRequest parameter. Observe that MFA is correctly skipped in subsequent logins.
Hello,
Our team is trying to implement the primary authentication with trusted application flow, as described here in the API docs: https://developer.okta.com/docs/reference/api/authn/#primary-authentication-with-trusted-application.
We tried to use the Java Auth SDK (https://github.com/okta/okta-auth-java) to implement it, but it looks like this SDK does not support authentication via trusted application - the DefaultAuthenticationClientBuilder sets the client credentials resolver as a DisabledClientCredentialsResolver and does not allow setting the authorization mode - compare it to the ClientBuilder from the Management SDK: https://github.com/okta/okta-sdk-java, which does.
We didn't find an implementation for the authentication with trusted application flow in the Management SDK, either.
Is there any way we can implement authentication with a trusted application with any of the Java SDKs? For security reasons, we would like to avoid using the admin API token, and use the scoped OAuth 2.0 tokens (AuthorizationMode.PRIVATE_KEY).
How would you recommend we approach this?
Thank you,
Oana
compile group: 'com.okta.authn.sdk', name: 'okta-authn-sdk-api', version: "${oktaVersion}"
runtime group: 'com.okta.authn.sdk', name: 'okta-authn-sdk-impl', version: "${oktaVersion}"
runtime 'com.okta.sdk:okta-sdk-httpclient:${oktaVersion}'
it works. Looks like group in README.md is wrong
In my application, we are using OKTA SDK (it has a dependency on the bouncy-castle) along with Plaid, If I try to update plaid SDK to the latest 3.5.0 we are facing issues like below.
**Error:**Duplicate class org.bouncycastle.LICENSE found in modules jetified-bcprov-jdk14-1.69 (org.bouncycastle:bcprov-jdk14:1.69) and jetified-bcprov-jdk15on-1.64 (org.bouncycastle:bcprov-jdk15on:1.64)
Currently, we are using: Plaid SDK-3.2.2
OKTA auth SDK-2.0.0
Unable to find API to send an activation email when when the user is unable to scan the QR code provided as part of an Okta Verify transaction. If for any reason the user can't scan the QR code, they can use the link provided in email to complete the transaction during multi factor enrolment setup.
I didn't find any direct api wrapper for below REST api in android
https://${yourOktaDomain}/api/v1/authn/factors/opfh52xcuft3J4uZc0g3/lifecycle/activate/email
Able to locate below API in Swift, but unable to find for android.
sendActivationLinkViaEmail
https://github.com/okta/okta-auth-swift
Hi There,
Firstly, I am comparing this with okta-sdk-java api as both APIs as necessary for our Legacy Spring Boot based integration with Okta. We are moving away from our current IS / SSO provider to Okta. To minimize the migration efforts, we are leveraging both these APIs where in :
We are getting com.okta.sdk.client.Client bean injected directly through OktaSdkConfig for SDK api - which takes care of configuring client pointing to below properties
okta.client.token=yyyyyyy
okta.client.orgUrl=https://xxxxx.oktapreview.com
There is nothing similar to get com.okta.authn.sdk.client.AuthenticationClient bean like OktaSdkConfig in auth API. Hence when, we use
@bean
public AuthenticationClient getOktaAuthenticationClient() {
return AuthenticationClients.builder().build();
}
it doesn't pick up the the Org URL & token configured in app.prop file and fails with
threw exception; nested exception is java.lang.IllegalArgumentException: Okta org url must not be null.
Am I missing something ? I am using 1.0.0 version. API docs says - your prop files needs to be configured as above. Please guide.
ℹ️ If you have a question, please post it on the Okta Developer Forum instead. Issues in this repository are reserved for bug reports and feature requests only.
Describe your issue or request here (if necessary).
After attempting to run with the following dependencies I get an error.
implementation 'com.okta.authn.sdk:okta-authn-sdk-api:2.0.5'
implementation('com.okta.authn.sdk:okta-authn-sdk-impl:2.0.5') {
exclude group: 'com.okta.sdk', module: 'okta-sdk-httpclient'
}
What should have happened?
Project should build.
Please provide log or error messages if applicable.
`* What went wrong:
Execution failed for task ':app:mergeDebugJavaResource'.
A failure occurred while executing com.android.build.gradle.internal.tasks.MergeJavaResWorkAction
2 files found with path 'META-INF/okta/version.properties' from inputs:
- /Users/aaa/.gradle/caches/transforms-3/348e95eb48cb31286b1ef7ddf16ca3cc/transformed/jetified-okta-authn-sdk-impl-2.0.5.jar
- /Users/aaa/.gradle/caches/transforms-3/45074359597c34055990124bb0b74ae3/transformed/jetified-okta-sdk-impl-8.1.0.jar
Adding a packagingOptions block may help, please refer to
https://google.github.io/android-gradle-dsl/current/com.android.build.gradle.internal.dsl.PackagingOptions.html
for more information
`
If the current behavior is a bug, please provide the steps to reproduce and a minimal demo if possible.
2.0.5
val client = Clients.builder()
.setOrgUrl(oktaDomain)
.setClientCredentials(new TokenClientCredentials(apiToken))
.build()
client.listUsers().asScala.foreach{ u =>
println(s"user: $u")
}
client.listUsers()
throws exception
Exception in thread "main" com.okta.sdk.impl.ds.MarshalingException: Unable to convert InputStream String to Map.
at com.okta.sdk.impl.ds.JacksonMapMarshaller.unmarshal(JacksonMapMarshaller.java:100)
at com.okta.sdk.impl.ds.DefaultDataStore.getBody(DefaultDataStore.java:466)
at com.okta.sdk.impl.ds.DefaultDataStore.execute(DefaultDataStore.java:443)
at com.okta.sdk.impl.ds.DefaultDataStore.lambda$getResourceData$0(DefaultDataStore.java:193)
at com.okta.sdk.impl.ds.DefaultDataStore$$Lambda$34/891093184.filter(Unknown Source)
at com.okta.sdk.impl.ds.DefaultFilterChain.filter(DefaultFilterChain.java:47)
at com.okta.sdk.impl.ds.cache.WriteCacheFilter.filter(WriteCacheFilter.java:34)
at com.okta.sdk.impl.ds.DefaultFilterChain.filter(DefaultFilterChain.java:52)
at com.okta.sdk.impl.ds.cache.ReadCacheFilter.filter(ReadCacheFilter.java:42)
at com.okta.sdk.impl.ds.DefaultFilterChain.filter(DefaultFilterChain.java:52)
at com.okta.sdk.impl.ds.DefaultDataStore.getResourceData(DefaultDataStore.java:205)
at com.okta.sdk.impl.ds.DefaultDataStore.getResource(DefaultDataStore.java:174)
at com.okta.sdk.impl.ds.DefaultDataStore.getResource(DefaultDataStore.java:169)
at com.okta.sdk.impl.ds.DefaultDataStore.getResource(DefaultDataStore.java:165)
at com.okta.sdk.impl.client.DefaultClient.listUsers(DefaultClient.java:793)
at OktaSample$.delayedEndpoint$com$parity$OktaSample$1(OktaSample.scala:20)
at OktaSample$delayedInit$body.apply(OktaSample.scala:9)
at scala.Function0.apply$mcV$sp(Function0.scala:39)
at scala.Function0.apply$mcV$sp$(Function0.scala:39)
at scala.runtime.AbstractFunction0.apply$mcV$sp(AbstractFunction0.scala:17)
at scala.App.$anonfun$main$1$adapted(App.scala:80)
at scala.App$$Lambda$5/1908153060.apply(Unknown Source)
at scala.collection.immutable.List.foreach(List.scala:392)
at scala.App.main(App.scala:80)
at scala.App.main$(App.scala:78)
at OktaSample$.main(OktaSample.scala:9)
at OktaSample.main(OktaSample.scala)
Caused by: com.fasterxml.jackson.core.JsonParseException: Unexpected character ('<' (code 60)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
at [Source: (ByteArrayInputStream); line: 1, column: 2]
at com.fasterxml.jackson.core.JsonParser._constructError(JsonParser.java:1804)
at com.fasterxml.jackson.core.base.ParserMinimalBase._reportError(ParserMinimalBase.java:693)
at com.fasterxml.jackson.core.base.ParserMinimalBase._reportUnexpectedChar(ParserMinimalBase.java:591)
at com.fasterxml.jackson.core.json.UTF8StreamJsonParser._handleUnexpectedValue(UTF8StreamJsonParser.java:2630)
at com.fasterxml.jackson.core.json.UTF8StreamJsonParser._nextTokenNotInObject(UTF8StreamJsonParser.java:832)
at com.fasterxml.jackson.core.json.UTF8StreamJsonParser.nextToken(UTF8StreamJsonParser.java:729)
at com.fasterxml.jackson.databind.ObjectMapper._initForReading(ObjectMapper.java:4141)
at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:4000)
at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3070)
at com.okta.sdk.impl
I suspect bad token or url, and it would be great to propagate proper exception.
I could be missing something. In the current Okta Java Authentication SDK (okta-auth-java), I don't see any implementation to support Resource Owner Password Flow (https://developer.okta.com/authentication-guide/implementing-authentication/password/#_2-using-the-resource-owner-password-flow). We need this flow in our product. Please support it. Thanks.
dependencies:
compile group: 'com.okta.authn.sdk', name: 'okta-authn-sdk-api', version: "1.0.0"
runtime group: 'com.okta.authn.sdk', name: 'okta-authn-sdk-impl', version: "1.0.0"
runtime group: 'com.okta.sdk', name: 'okta-sdk-httpclient', version: '1.5.2'
code
val client = Clients.builder()
.setOrgUrl(oktaDomain)
.setClientCredentials(new TokenClientCredentials(apiToken))
.build()
exception
Exception in thread "main" java.lang.IllegalStateException: Unable to find a 'com.okta.sdk.impl.http.RequestExecutorFactory' implementation on the classpath. Please ensure you have added the okta-sdk-httpclient.jar file to your runtime classpath.
at com.okta.commons.lang.Classes.lambda$loadFromService$0(Classes.java:205)
at com.okta.commons.lang.Classes$$Lambda$19/431687835.get(Unknown Source)
at java.util.Optional.orElseThrow(Optional.java:290)
at com.okta.commons.lang.Classes.loadFromService(Classes.java:205)
at com.okta.sdk.impl.client.BaseClient.createRequestExecutor(BaseClient.java:103)
at com.okta.sdk.impl.client.BaseClient.<init>(BaseClient.java:72)
at com.okta.sdk.impl.client.AbstractClient.<init>(AbstractClient.java:60)
at com.okta.sdk.impl.client.DefaultClient.<init>(DefaultClient.java:117)
at com.okta.sdk.impl.client.DefaultClientBuilder.build(DefaultClientBuilder.java:322)
at OktaSample$.delayedEndpoint$com$parity$OktaSample$1(OktaSample.scala:17)
Hello,
I am working on trying to understand how this library works.
I am in the process of writing a little groovy script to help me understand the various MFA verification flows.
I have successfully gotten TOTP, sms, and calling working. I however am stuck trying to get push working.
Here is my AuthenticationStateHandler
impl
class MyAuthenticationStateHandler extends AuthenticationStateHandlerAdapter {
AuthenticationClient client
MyAuthenticationStateHandler(AuthenticationClient client) {
this.client = client
}
void handleMfaRequired(AuthenticationResponse mfaRequiredResponse) {
println "MFA is require found the following factors:"
mfaRequiredResponse.getFactors().eachWithIndex { Factor factor, int i ->
println "${i}: ${factor.getProvider()} ${factor.getType()}"
}
def factorSelection = Integer.valueOf(System.console().readLine('Select factor to verify? '))
def factor = mfaRequiredResponse.getFactors().get(factorSelection)
def type = factor.getType().toString()
switch (type) {
case "token:software:totp":
handleCode(factor, mfaRequiredResponse.getStateToken())
break
case "sms":
triggerCodeGeneratingFactorAndPromptForCode(factor, mfaRequiredResponse.getStateToken())
break
case "call":
triggerCodeGeneratingFactorAndPromptForCode(factor, mfaRequiredResponse.getStateToken())
break
case "push":
handlePush(factor, mfaRequiredResponse.getStateToken())
break
default:
throw new RuntimeException("Unknown factor type: ${type}")
}
}
void handleUnknown(AuthenticationResponse typedUnknownResponse) {
println("unknown / unhandled status: ${typedUnknownResponse.getStatus()} res: ${typedUnknownResponse}")
}
def triggerCodeGeneratingFactorAndPromptForCode(Factor factor, String stateToken) {
client.challengeFactor(factor.getId(), stateToken, this)
def code = System.console().readLine('Enter code: ')
verifyCode(code, factor.getId(), stateToken)
}
def handleCode(Factor factor, String stateToken) {
def otp = System.console().readLine('Enter one time code: ')
verifyCode(otp, factor.getId(), stateToken)
}
def handlePush(Factor factor, String stateToken) {
println("Triggering challenge")
DefaultVerifyPushFactorRequest request = client.instantiate(DefaultVerifyPushFactorRequest.class)
request.setStateToken(stateToken)
request.setAutoPush(true)
def resp = client.verifyFactor(factor.getId(), request, this)
println("Verification has been pushed, waiting for user to acknowledge")
client.pollFactor(factor.getId(), resp.getStateToken(), this)
println("Verification has acknowledged")
}
def verifyCode(String code, id, stateToken) {
DefaultVerifyPassCodeFactorRequest request = client.instantiate(DefaultVerifyPassCodeFactorRequest.class)
request.setPassCode(code)
request.setStateToken(stateToken)
client.verifyFactor(id, request, this)
}
}
and here is the whole poc script
#! /usr/bin/env groovy
import com.okta.authn.sdk.AuthenticationStateHandler
import com.okta.authn.sdk.client.AuthenticationClient
import com.okta.authn.sdk.client.AuthenticationClients
import com.okta.authn.sdk.AuthenticationStateHandlerAdapter
import com.okta.authn.sdk.impl.resource.DefaultVerifyPassCodeFactorRequest
import com.okta.authn.sdk.impl.resource.DefaultVerifyPushFactorRequest
import com.okta.authn.sdk.resource.AuthenticationResponse
import com.okta.authn.sdk.resource.Factor
import groovy.transform.Field
@Grapes([
@Grab(group='com.okta.authn.sdk', module='okta-authn-sdk-api', version='0.1.0'),
@Grab(group='com.okta.authn.sdk', module='okta-authn-sdk-impl', version='0.1.0'),
@Grab(group='com.okta.sdk', module='okta-sdk-httpclient', version='1.2.0')
// @Grab(group='ch.qos.logback', module='logback-classic', version='1.2.3')
])
@Field
def oktaUrl = System.getenv('OKTA_URL')
@Field
def oktaApiKey = System.getenv('OKTA_API_KEY')
@Field
def oktaUserName = System.getenv('OKTA_USERNAME')
@Field
String oktaPassword = System.getenv('OKTA_PASSWORD')
def main() {
// Set the api token for the okta client to use, why can't I pass it into the client, wtf?
System.setProperty("okta.client.token", oktaApiKey)
AuthenticationClient client = AuthenticationClients.builder()
.setOrgUrl(oktaUrl)
.build()
String username = oktaUserName ? oktaUserName : System.console().readLine('What is your Okta username? ')
char[] passwordCharArr
if (!oktaPassword) {
print "What is your Okta password? "
passwordCharArr = System.console().readPassword()
} else {
passwordCharArr = oktaPassword.toCharArray()
}
String relayState = ""
AuthenticationStateHandler stateHandler = new MyAuthenticationStateHandler(client)
AuthenticationResponse authResponse = client.authenticate(username, passwordCharArr, relayState, stateHandler)
println("\nAuth response recieved: ${authResponse}")
}
class MyAuthenticationStateHandler extends AuthenticationStateHandlerAdapter {
AuthenticationClient client
MyAuthenticationStateHandler(AuthenticationClient client) {
this.client = client
}
void handleMfaRequired(AuthenticationResponse mfaRequiredResponse) {
println "MFA is require found the following factors:"
mfaRequiredResponse.getFactors().eachWithIndex { Factor factor, int i ->
println "${i}: ${factor.getProvider()} ${factor.getType()}"
}
def factorSelection = Integer.valueOf(System.console().readLine('Select factor to verify? '))
def factor = mfaRequiredResponse.getFactors().get(factorSelection)
def type = factor.getType().toString()
switch (type) {
case "token:software:totp":
handleCode(factor, mfaRequiredResponse.getStateToken())
break
case "sms":
triggerCodeGeneratingFactorAndPromptForCode(factor, mfaRequiredResponse.getStateToken())
break
case "call":
triggerCodeGeneratingFactorAndPromptForCode(factor, mfaRequiredResponse.getStateToken())
break
case "push":
handlePush(factor, mfaRequiredResponse.getStateToken())
break
default:
throw new RuntimeException("Unknown factor type: ${type}")
}
}
void handleUnknown(AuthenticationResponse typedUnknownResponse) {
println("unknown / unhandled status: ${typedUnknownResponse.getStatus()} res: ${typedUnknownResponse}")
}
def triggerCodeGeneratingFactorAndPromptForCode(Factor factor, String stateToken) {
client.challengeFactor(factor.getId(), stateToken, this)
def code = System.console().readLine('Enter code: ')
verifyCode(code, factor.getId(), stateToken)
}
def handleCode(Factor factor, String stateToken) {
def otp = System.console().readLine('Enter one time code: ')
verifyCode(otp, factor.getId(), stateToken)
}
def handlePush(Factor factor, String stateToken) {
println("Triggering challenge")
DefaultVerifyPushFactorRequest request = client.instantiate(DefaultVerifyPushFactorRequest.class)
request.setStateToken(stateToken)
request.setAutoPush(true)
def resp = client.verifyFactor(factor.getId(), request, this)
println("Verification has been pushed, waiting for user to acknowledge")
client.pollFactor(factor.getId(), resp.getStateToken(), this)
println("Verification has acknowledged")
}
def verifyCode(String code, id, stateToken) {
DefaultVerifyPassCodeFactorRequest request = client.instantiate(DefaultVerifyPassCodeFactorRequest.class)
request.setPassCode(code)
request.setStateToken(stateToken)
client.verifyFactor(id, request, this)
}
}
main()
When I go through the flow trying push I am greeted with the following message.
client.pollFactor(factor.getId(), resp.getStateToken(), this)
Caused by: com.okta.sdk.resource.ResourceException: HTTP 403, Okta E0000079 (This operation is not allowed in the current authentication state. - This operation is not allowed in the current authentication state.), ErrorId oaegE9PlHH7TMSmH0cjd3WPCw
ℹ️ If you have a question, please post it on the Okta Developer Forum instead. Issues in this repository are reserved for bug reports and feature requests only.
When updating SDK versions we noticed the appearance of a new crash originating in the Okta SDK (stack trace below). It only impacts users on Android 7.
Fatal Exception: java.lang.NoClassDefFoundError: Failed resolution of: Ljava/time/format/DateTimeFormatter;
at com.okta.commons.http.RequestUtils.<clinit>(RequestUtils.java:32)
at com.okta.commons.http.RequestUtils.fetchHeaderValueAndRemoveIfPresent(RequestUtils.java:93)
at com.okta.commons.http.okhttp.OkHttpRequestExecutor.executeRequest(OkHttpRequestExecutor.java:122)
at com.okta.commons.http.RetryRequestExecutor.doExecuteRequest(RetryRequestExecutor.java:147)
at com.okta.commons.http.RetryRequestExecutor.executeRequest(RetryRequestExecutor.java:120)
at com.okta.sdk.impl.ds.DefaultDataStore.execute(DefaultDataStore.java:442)
at com.okta.sdk.impl.ds.DefaultDataStore.lambda$save$2(DefaultDataStore.java:316)
at com.okta.sdk.impl.ds.DefaultDataStore.$r8$lambda$gKSDnks1-IbOCylz54X-TzaK5-s(DefaultDataStore.java)
at com.okta.sdk.impl.ds.DefaultDataStore$$InternalSyntheticLambda$0$c4e7d458d0255d3533048628a92b18309bb945b5c716d564711e1a81e9edfaf4$0.filter(DefaultDataStore.java)
at com.okta.sdk.impl.ds.DefaultFilterChain.filter(DefaultFilterChain.java:47)
at com.okta.sdk.impl.ds.DefaultDataStore.save(DefaultDataStore.java:348)
at com.okta.sdk.impl.ds.DefaultDataStore.create(DefaultDataStore.java:246)
at com.okta.authn.sdk.impl.client.DefaultAuthenticationClient.doPost(DefaultAuthenticationClient.java:301)
at com.okta.authn.sdk.impl.client.DefaultAuthenticationClient.authenticate(DefaultAuthenticationClient.java:83)
at com.okta.authn.sdk.client.AuthenticationClient.authenticate(AuthenticationClient.java:108)
at com.okta.authn.sdk.impl.client.DefaultAuthenticationClient.authenticate(DefaultAuthenticationClient.java:74)
No crash
Crash
Occurs for users on Android 7 when logging in with username and password (authenticationClient.authenticate(email, password, ...)
)
Updated versions are:
implementation "com.okta.authn.sdk:okta-authn-sdk-api:2.0.2"
runtimeOnly "com.okta.authn.sdk:okta-authn-sdk-impl:2.0.2"
implementation "com.okta.android:okta-oidc-android:1.3.2"
runtimeOnly "com.okta.sdk:okta-sdk-okhttp:8.2.1"
Previous versions were:
implementation "com.okta.authn.sdk:okta-authn-sdk-api:2.0.0"
runtimeOnly "com.okta.authn.sdk:okta-authn-sdk-impl:2.0.0"
implementation "com.okta.android:okta-oidc-android:1.2.2"
runtimeOnly "com.okta.sdk:okta-sdk-okhttp:2.0.0"
Should be in the format of okta-auth-java/${version}
fixed in #2
The method signatures on the AuthenticationClient
seem a bit conflicting to me: The methods both return the AuthenticationResponse
as well as feeding that value to the AuthenticationStateHandler
before returning. Typically, when passing in a handler such as this, I'd expect the method to be asynchronous and to return void.
What I'd propose is to restructure it a bit so a) the methods do not take the handler and b) the case logic lives in the handler or a separate class.
AuthenticationStateHandler handler = createMyHandler();
AuthenticationResponse response = client.authenticate(user, pass, relayState);
handler.handle(response);
// or response.process(handler); or something else
Perhaps there's a reason for this approach, but I didn't find one in the commit history. If there's a better place to have this discussion, please feel free to redirect me and close this.
Brian, quick follow-up question
How to get AuthenticationResponse object using this API, if I don't have id / pwd in my spring boot app. I do have Authentication Object in SecurityContext - which don't provide me id_token, which I need for logout URL configuration. Any help / guidance appreciated ..
Hello, I'm implementing native sign-in on Android using this example from Okta OIDC Android repository.
I'm calling this method from the background thread:
GlobalScope.launch(IO) {
authenticationClient.authenticate(
login, password.toCharArray(), null,
sessionTokenCallback
)
}
and got the next error:
2020-03-18 16:44:43.046 21568-21671/com.mypackname.nsp E/AndroidRuntime: FATAL EXCEPTION: DefaultDispatcher-worker-2
Process: com.mypackname.nsp, PID: 21568
com.okta.sdk.resource.ResourceException: HTTP 405, Okta E0000022 (The endpoint does not support the provided HTTP method), ErrorId oaeMPidYiw9RSSSLI9nohkI4A
at com.okta.sdk.impl.ds.DefaultDataStore.execute(DefaultDataStore.java:453)
at com.okta.sdk.impl.ds.DefaultDataStore.lambda$save$1$DefaultDataStore(DefaultDataStore.java:314)
at com.okta.sdk.impl.ds.-$$Lambda$DefaultDataStore$fo-umUTYx0eD5hn0AHqFzrmI4sg.filter(Unknown Source:8)
at com.okta.sdk.impl.ds.DefaultFilterChain.filter(DefaultFilterChain.java:47)
at com.okta.sdk.impl.ds.DefaultDataStore.save(DefaultDataStore.java:346)
at com.okta.sdk.impl.ds.DefaultDataStore.create(DefaultDataStore.java:244)
at com.okta.authn.sdk.impl.client.DefaultAuthenticationClient.doPost(DefaultAuthenticationClient.java:324)
at com.okta.authn.sdk.impl.client.DefaultAuthenticationClient.authenticate(DefaultAuthenticationClient.java:106)
at com.okta.authn.sdk.client.AuthenticationClient.authenticate(AuthenticationClient.java:108)
at com.okta.authn.sdk.impl.client.DefaultAuthenticationClient.authenticate(DefaultAuthenticationClient.java:97)
at com.mypackname.nsp.view.auth.AuthViewModel$login$1.invokeSuspend(AuthViewModel.kt:148)
at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33)
at kotlinx.coroutines.DispatchedTask.run(Dispatched.kt:241)
at kotlinx.coroutines.scheduling.CoroutineScheduler.runSafely(CoroutineScheduler.kt:594)
at kotlinx.coroutines.scheduling.CoroutineScheduler.access$runSafely(CoroutineScheduler.kt:60)
at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.run(CoroutineScheduler.kt:740)
2020-03-18 16:44:43.084 21568-21671/com.mypackname.nsp I/Process: Sending signal. PID: 21568 SIG: 9
Do you have any ideas why I get 405 error?
I am trying to setup this project as maven to try out the examples for my usecase implementation understanding,
However, I am facing the build error complaining the lifecycle configuration related to the derived parent pom(okta-parent) for the below goals. could you point me where i am going wrong.
addSources
addTestSources
generateStubs
compile
generateTestStubs
compileTests
removeStubs
removeTestStubs
ℹ️ If you have a question, please post it on the Okta Developer Forum instead. Issues in this repository are reserved for bug reports and feature requests only.
We are implementing a custom MFA UI and are using resend code or one time passcode. We are successful in using resend code. However we are running into issues when invoking resend code/OTP....especially when the code has expired after 5 minutes.
Describe your issue or request here (if necessary).
Receive a new one time passcode even if the original has expired after 5 minutes.
What should have happened?
Receive a new one time passcode even if the original has expired after 5 minutes.
Using the snippet of code below, we get an exception message of "com.okta.authn.sdk.InvalidTokenException: Invalid token provided". Especially when trying to get a new one time passcode after the original has expired over 5 minutes. Please keep in mind ....using the same code below we can get a new one time passcode if we request a new OTP code within 5 minutes.
try {
_authenticationResponse = _client.resendVerifyFactor(
factorId, _authenticationResponse.getStateToken(), _requestContext, AuthenticationStateHandler(result, activity)
);
} catch (exception: Exception) {
Log.d("000","Error from receiving a new one time passcode $exception")
}
Please provide log or error messages if applicable.
Login with an account that has MFA policies. Request a new OTP after 5 minutes. Especially after the first OTP has been received via email or sms.
If the current behavior is a bug, please provide the steps to reproduce and a minimal demo if possible.
2.0.4
All,
We are currently having login issues with Pixel 3 phones with Android 10. Build number QP1A.191005.007. The problem is that we have other Pixel phones of similar models and build numbers that don't have any login issues. When we do have a login issue we start to see logs indicating that the session token is null. The version of Okta libraries that we are using is listed below:
com.okta.android:oidc-android:1.0.3
com.okta.authn.sdk:okta-authn-sdk-api:0.4.0
com.okta.authn.sdk:okta-authn-sdk-impl:0.4.0
com.okta.sdk:okta-sdk-okhttp:1.5.2
Has anyone been experiencing this issue? We are trying to debug our code using the correct Okta config for development and/or production. But we can't replicate a null session token and our test/production users login just fine.
Thanks for any tips or guidance.
Hi, I'm trying to use the okta-authn-sdk but I cannot even instantiate the AuthenticationClient
object as it tries to use a deprecated function that is does not exist anymore in HttpClientConfiguration
which is getRequestExecutorParams()
.
The object should instanciate
java.lang.NoSuchMethodError: com.okta.commons.http.config.HttpClientConfiguration.getRequestExecutorParams()Ljava/util/Map;
at com.okta.commons.http.httpclient.HttpClientRequestExecutor.<init>(HttpClientRequestExecutor.java:105) ~[okta-http-httpclient-1.3.0.jar:1.3.0]
at com.okta.commons.http.httpclient.HttpClientRequestExecutorFactory.create(HttpClientRequestExecutorFactory.java:32) ~[okta-http-httpclient-1.3.0.jar:1.3.0]
at com.okta.sdk.impl.client.BaseClient.createRequestExecutor(BaseClient.java:75) ~[okta-sdk-impl-2.0.0.jar:2.0.0]
at com.okta.sdk.impl.client.BaseClient.<init>(BaseClient.java:44) ~[okta-sdk-impl-2.0.0.jar:2.0.0]
at com.okta.authn.sdk.impl.client.DefaultAuthenticationClient.<init>(DefaultAuthenticationClient.java:68) ~[okta-authn-sdk-impl-2.0.0.jar:2.0.0]
at com.okta.authn.sdk.impl.client.DefaultAuthenticationClientBuilder.build(DefaultAuthenticationClientBuilder.java:212) ~[okta-authn-sdk-impl-2.0.0.jar:2.0.0]
at com.unifygroup.passwordimportinlinehook.Controller.eventHook(Controller.java:44) ~[classes/:?]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_312]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_312]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_312]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_312]
at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:205) ~[spring-web-5.3.16.jar:5.3.16]
at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:150) ~[spring-web-5.3.16.jar:5.3.16]
at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:117) ~[spring-webmvc-5.3.16.jar:5.3.16]
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:895) ~[spring-webmvc-5.3.16.jar:5.3.16]
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:808) ~[spring-webmvc-5.3.16.jar:5.3.16]
at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:87) ~[spring-webmvc-5.3.16.jar:5.3.16]
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1067) ~[spring-webmvc-5.3.16.jar:5.3.16]
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:963) ~[spring-webmvc-5.3.16.jar:5.3.16]
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1006) ~[spring-webmvc-5.3.16.jar:5.3.16]
at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:909) ~[spring-webmvc-5.3.16.jar:5.3.16]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:681) ~[tomcat-embed-core-9.0.58.jar:4.0.FR]
at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:883) ~[spring-webmvc-5.3.16.jar:5.3.16]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:764) ~[tomcat-embed-core-9.0.58.jar:4.0.FR]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:227) ~[tomcat-embed-core-9.0.58.jar:9.0.58]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) ~[tomcat-embed-core-9.0.58.jar:9.0.58]
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) ~[tomcat-embed-websocket-9.0.58.jar:9.0.58]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) ~[tomcat-embed-core-9.0.58.jar:9.0.58]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) ~[tomcat-embed-core-9.0.58.jar:9.0.58]
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100) ~[spring-web-5.3.16.jar:5.3.16]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.16.jar:5.3.16]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) ~[tomcat-embed-core-9.0.58.jar:9.0.58]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) ~[tomcat-embed-core-9.0.58.jar:9.0.58]
at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93) ~[spring-web-5.3.16.jar:5.3.16]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.16.jar:5.3.16]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) ~[tomcat-embed-core-9.0.58.jar:9.0.58]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) ~[tomcat-embed-core-9.0.58.jar:9.0.58]
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) ~[spring-web-5.3.16.jar:5.3.16]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.16.jar:5.3.16]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) ~[tomcat-embed-core-9.0.58.jar:9.0.58]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) ~[tomcat-embed-core-9.0.58.jar:9.0.58]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:197) [tomcat-embed-core-9.0.58.jar:9.0.58]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97) [tomcat-embed-core-9.0.58.jar:9.0.58]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:540) [tomcat-embed-core-9.0.58.jar:9.0.58]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135) [tomcat-embed-core-9.0.58.jar:9.0.58]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) [tomcat-embed-core-9.0.58.jar:9.0.58]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78) [tomcat-embed-core-9.0.58.jar:9.0.58]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:359) [tomcat-embed-core-9.0.58.jar:9.0.58]
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:399) [tomcat-embed-core-9.0.58.jar:9.0.58]
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) [tomcat-embed-core-9.0.58.jar:9.0.58]
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:889) [tomcat-embed-core-9.0.58.jar:9.0.58]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1735) [tomcat-embed-core-9.0.58.jar:9.0.58]
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-embed-core-9.0.58.jar:9.0.58]
at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) [tomcat-embed-core-9.0.58.jar:9.0.58]
at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) [tomcat-embed-core-9.0.58.jar:9.0.58]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-embed-core-9.0.58.jar:9.0.58]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_312]
AuthenticationClient client = AuthenticationClients.builder()
.setOrgUrl("https://yourOktatenant")
.build();
<okta.version>8.0.0</okta.version> <--- tries also with 5.0.0 or 9.0.0-beta
<okta.authn.version>2.0.0</okta.authn.version>
We noticed a difference between some environments and we are trying to identity if it could be indeed environment version related or SDK behaviour.
User locked out used to throw an Authentication Exception - com.okta.authn.sdk.AuthenticationException (and its the current behaviour on a production environment).
In lower environments, user locked out is now returning: com.okta.sdk.resource.ResourceException: HTTP 403, Okta E0000069 (User Locked)
As currently the exceptions are handling Authentication and not Resource exception, we would just like to understand the scenario first and if the effort of extending/adding a new catch will indeed be needed.
Thanks in advance.
Below is a snippet:
public IdpCommandResponse exec(Map<String, String> inputParams, ConfigurationParameters osgiConfig) {
String username = inputParams.get(FormConstants.J_USERNAME);
String password = inputParams.getOrDefault(FormConstants.J_PASSWORD, StringUtils.EMPTY);
String relayStateParam = inputParams.get(FormConstants.J_RELAYSTATE);
Map<String,String> relayStateMap = new HashMap<>();
if(StringUtils.isNotEmpty(relayStateParam)){
relayStateMap.put("path", relayStateParam);
}
String relayState = OpenIdUtil.encodeRelayState(relayStateMap);
DummyAuthenticationStateHandler stateHandler = new DummyAuthenticationStateHandler();
IdpCommandResponse idpResponse = null;
try {
LOG.debug("[LoginCommand] - Making Okta Login with {}:{}",username,relayState);
AuthenticationClient client = AuthenticationClients.builder()
.setOrgUrl((String)osgiConfig.get(AuthenticationConstants.DOMAIN_NAME)).build();
AuthenticationResponse loginResponse = client.authenticate(username, password.toCharArray(), relayState, stateHandler);
LOG.debug("[LoginCommand] - Response for {}:{} is {}", username,relayState,loginResponse.getStatus());
switch(loginResponse.getStatus()){
case MFA_REQUIRED :
idpResponse = createIdpResponseForOtp(loginResponse,inputParams);
break;
case SUCCESS:
idpResponse = OktaCommandFactory.execAuthorizeCommand(loginResponse.getSessionToken(),loginResponse.getRelayState(),osgiConfig);
break;
case LOCKED_OUT:
CommandError error = new CommandError();
error.setErrorCode(loginResponse.getStatusString());
error.setHttpStatusCode(403);
error.setErrorMsg(loginResponse.getStatusString());
idpResponse = OktaCommandFactory.createErrorResponse(error);
break;
default:
idpResponse = OktaCommandFactory.execUnknownStateCommand(osgiConfig);
}
}catch (AuthenticationException e) {
LOG.error("Exception while making login call {}:{}",e.getMessage(),e.getCode());
LOG.debug("Exception while making login call",e);
CommandError error = new CommandError();
error.setErrorCode(e.getCode());
error.setHttpStatusCode(e.getStatus());
error.setErrorMsg(e.getMessage());
idpResponse = OktaCommandFactory.createErrorResponse(error);
}
return idpResponse;
}
To help avoid misconfiguration, this library should implement these checks against common errors: https://oktawiki.atlassian.net/wiki/spaces/PM/pages/552049922/Library+configuration+checks
For this library, checks against Okta domain (base URL) apply.
I could be missing it but I was going to use this api as a part of my 'activation' flow. The idea that I would post to /api/v1/authn
with a {"token": "blahblah"}
and get the user back plus password policy etc.
I'm not super familiar with this implementation of the api though so maybe I'm missing where I can do that
Both Shape and Okta have SDKs that are opaque to us.
Okta has a standard SDK where we ask for something at a high level, and the requests are carried out behind the scenes.
Shape has an SDK where it wants to be given the low-level request object prior to it being sent, and be handed the response for further processing after it has been received.
In order to integrate Okta with Shape, we need to grant Shape access to the requests and responses that Okta is generating.
Approach
We ask for two new callbacks to be added to the Okta SDK.
Example from iOS issues - (Android example TBD):
protocol OktaHttpDelegate {
/// Called after request creation, just before send.
func willSend(request: NSMutableURLRequest)
/// Called after response received, just after receipt.
func didReceive(response: HTTPURLResponse)
}
Will be repeating this issue for the Android OIDC library and similar approach on the equivalent iOS SDKs
Transitive dependency on library bcprov-jdk18on:1.75 via library okta-sdk-impl has security vulnerability (CVE-2024-29857, CVE-2024-30171, CVE-2024-30172) in National Vulnerability Database
Please update to version 1.78.1
Security vulnerability that poses risk to clients
Check dependency tree
2.0.11
Here are my deps in gradle
implementation 'com.okta.authn.sdk:okta-authn-sdk-api:1.0.0'
runtimeOnly 'com.okta.authn.sdk:okta-authn-sdk-impl:1.0.0'
runtimeOnly 'com.okta.sdk:okta-sdk-okhttp:1.5.2'
and my code
val mOktaAuth = AuthenticationClients.builder().setOrgUrl("https://app-api.okta.com").build()
mOktaAuth.authenticate(emailText.text.toString(), passwordText.text.toString().toCharArray(), "/application/specific", x)
x being my AuthenticationStateHandlerAdapter
and the error I get every time is
`com.okta.sdk.impl.http.RestException: Unable to execute HTTP request: null`
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.