-
Notifications
You must be signed in to change notification settings - Fork 93
/
Copy pathokta.py
58 lines (51 loc) · 1.94 KB
/
okta.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
import botocore.vendored.requests as requests #As long as we're in AWS Lambda, this trick works for accessing requests
import json,datetime
def lambda_handler(event, context):
domain = event['args']['oktadomain']
return okta_authenticate(domain, event['username'], event['password'], event['useragent'])
def okta_authenticate(domain, username, password, useragent):
ts = datetime.datetime.utcnow().strftime('%Y-%m-%d %H:%M:%S')
data_response = {
'timestamp': ts,
'username': username,
'password': password,
'success': False,
'change': False,
'2fa_enabled': False,
'type': None,
'code': None,
'name': None,
'action': None,
'headers': [],
'cookies': [],
}
payload = {"username":username, "password":password, "options":{"warnBeforePasswordExpired":True, "multiOptionalFactorEnroll":True}}
url = "https://%s/api/v1/authn/" % domain
try:
resp = requests.post(url,data=json.dumps(payload),headers={'Content-Type':'application/json', 'User-Agent':useragent})
if resp.status_code == 200:
resp_json = json.loads(resp.text)
if resp_json.get("status") == "LOCKED_OUT": #Warning: administrators can configure Okta to not indicate that an account is locked out. Fair warning ;)
data_response['success'] = False
data_response['error'] ='locked out'
data_response['action'] = 'redirect'
elif resp_json.get("status") == "SUCCESS":
data_response['success'] = True
elif resp_json.get("status") == "MFA_REQUIRED":
data_response['2fa_enabled'] = True
data_response['success'] = True
try:
data_response['code'] = resp_json['_embedded']['factors'][0]['factorType']
except:
data_response['code'] = "Unknown"
elif resp_json.get("status") == "PASSWORD_EXPIRED":
data_response['change'] = True
data_response['success'] = True
else:
data_response['success'] = False
else:
data_response['success'] = False
except Exception as ex:
data_response['error'] = ex
pass
return data_response