mjg59,
@mjg59@nondeterministic.computer avatar

I am, once again, attempting to figure out how the fuck Okta's API actually works

RogerBW,
@RogerBW@emacs.ch avatar

@mjg59

  1. You give them money.
  2. You can log into your machines.
  3. Maybe other people can't? Still working on this.
kfh,
@kfh@chaos.social avatar

@mjg59 hah, the Okta API implementation I'm working on right now seems trivial to MFA enrollment

mjg59,
@mjg59@nondeterministic.computer avatar

@kfh I've already figured out how Fastpass works, this should be trivial in comparison but

ljrk,
@ljrk@todon.eu avatar

@mjg59 Wait, it works?

mjg59,
@mjg59@nondeterministic.computer avatar

@ljrk I mean it's possible to enroll MFA tokens so I guess?

ljrk,
@ljrk@todon.eu avatar

@mjg59 Maybe I've been burnt by Okta too many times in other contexts :'-)

mjg59,
@mjg59@nondeterministic.computer avatar

Enrolling MFA tokens in Firefox while staring at the network debug console and cutting and pasting into curl trying to figure out what the fuck magic is actually happening here

mjg59,
@mjg59@nondeterministic.computer avatar

Begging IdP vendors to actually make it possible to script doing everything that a user can do because I do not want to rely on an API token for this

plambrechtsen,
@plambrechtsen@mastodon.nz avatar

@mjg59 proxy the shizzle via postman or jmeter as Okta is a pain in the ass to grab the session token.
The nightmare continues.

mjg59,
@mjg59@nondeterministic.computer avatar

@plambrechtsen I've already got the session token but the documented APIs want an API token (no) and the web flow uses undocumented Identity Engine endpoints

plambrechtsen,
@plambrechtsen@mastodon.nz avatar

@mjg59 had a look through the Okta postman collection?? Looks like that has everything. https://developer.okta.com/docs/reference/rest/

mjg59,
@mjg59@nondeterministic.computer avatar

@plambrechtsen Direct experience is that a lot of it doesn't work with normally scoped OIDC tokens, it's more aimed at different flows

plambrechtsen,
@plambrechtsen@mastodon.nz avatar

@mjg59 it’s been a few years since I have had to play with the Okta API and I have blacked it out for good reason.
But messing around in postman is how I always got it working first.
You can do an OIDC auth flow using postman and opening an external browser and then the back channel token exchange with the code. Assuming you’re doing a authorisation token flow.

mjg59,
@mjg59@nondeterministic.computer avatar

@plambrechtsen I literally can't open an external browser because of how Apple handles hardware backed key ownership

  • All
  • Subscribed
  • Moderated
  • Favorites
  • random
  • modclub
  • DreamBathrooms
  • InstantRegret
  • magazineikmin
  • everett
  • Youngstown
  • mdbf
  • Durango
  • slotface
  • rosin
  • thenastyranch
  • kavyap
  • GTA5RPClips
  • cubers
  • JUstTest
  • tester
  • osvaldo12
  • tacticalgear
  • ethstaker
  • ngwrru68w68
  • khanakhh
  • Leos
  • normalnudes
  • cisconetworking
  • provamag3
  • megavids
  • anitta
  • lostlight
  • All magazines
    •