OIE authorization code flow implementation with forced classic authen…

…tication.

Chained Oktas that are a mix of OIE and classic has issues, SAML2 does not return an idx cookies.

.gitignore

@@ -91,7 +91,7 @@ venv/
 ENV/
 env.bak/
 venv.bak/
-.vscode
+.vscode/
 
 # Spyder project settings
 .spyderproject

tokendito/__init__.py

@@ -1,7 +1,8 @@
 # vim: set filetype=python ts=4 sw=4
 # -*- coding: utf-8 -*-
 """Tokendito module initialization."""
-__version__ = "2.1.3"
+
+__version__ = "2.3.0"
 __title__ = "tokendito"
 __description__ = "Get AWS STS tokens from Okta SSO"
 __long_description_content_type__ = "text/markdown"

tokendito/__main__.py

@@ -12,10 +12,10 @@ def main(args=None):  # needed for console script
 
         path = os.path.dirname(os.path.dirname(__file__))
         sys.path[0:0] = [path]
-    from tokendito.tool import cli
+    from tokendito.user import cmd_interface
 
     try:
-        return cli(args)
+        return cmd_interface(args)
     except KeyboardInterrupt:
         print("\nInterrupted")
         sys.exit(1)

tokendito/aws.py

@@ -47,18 +47,14 @@ def get_output_types():
     return ["json", "text", "csv", "yaml", "yaml-stream"]
 
 
-def authenticate_to_roles(urls, cookies=None):
+def authenticate_to_roles(config, urls, cookies):
     """Authenticate AWS user with saml.
 
     :param urls: list of tuples or tuple, with tiles info
     :param cookies: html cookies
-    :param user_agent: optional user agent string
     :return: response text
 
     """
-    if cookies:
-        HTTP_client.set_cookies(cookies)  # Set cookies if provided
-
     url_list = [urls] if isinstance(urls, tuple) else urls
     responses = []
     tile_count = len(url_list)
@@ -67,6 +63,10 @@ def authenticate_to_roles(urls, cookies=None):
     logger.info(f"Discovering roles in {tile_count} tile{plural}.")
     for url, label in url_list:
         response = HTTP_client.get(url)  # Use the HTTPClient's get method
+        session_url = config.okta["org"] + "/login/sessionCookieRedirect"
+        params = {"token": cookies.get("sessionToken"), "redirectUrl": url}
+        response = HTTP_client.get(session_url, params=params)
+
         saml_response_string = response.text
 
         saml_xml = okta.extract_saml_response(saml_response_string)

tokendito/config.py

@@ -45,6 +45,7 @@ class Config(object):
             password="",
             mfa=None,
             mfa_response=None,
+            client_id=None,
             tile=None,
             org=None,
         ),

tokendito/http_client.py

@@ -25,13 +25,16 @@ def set_cookies(self, cookies):
         """Update session with additional cookies."""
         self.session.cookies.update(cookies)
 
-    def get(self, url, params=None, headers=None):
+    def get(self, url, params=None, headers=None, allow_redirects=True):
         """Perform a GET request."""
         response = None
         try:
+            logger.debug(f"GET to {url}")
             logger.debug(f"Sending cookies: {self.session.cookies}")
             logger.debug(f"Sending headers: {self.session.headers}")
-            response = self.session.get(url, params=params, headers=headers)
+            response = self.session.get(
+                url, params=params, headers=headers, allow_redirects=allow_redirects
+            )
             response.raise_for_status()
             logger.debug(f"Received response from {url}: {response.text}")
             return response
@@ -50,6 +53,7 @@ def get(self, url, params=None, headers=None):
 
     def post(self, url, data=None, json=None, headers=None, return_json=False):
         """Perform a POST request."""
+        logger.debug(f"POST to {url}")
         try:
             response = self.session.post(url, data=data, json=json, headers=headers)
             response.raise_for_status()