Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deprecated Okta auth method config keys no longer seem to function #5409

Closed
arusso opened this issue Sep 27, 2018 · 0 comments
Closed

Deprecated Okta auth method config keys no longer seem to function #5409

arusso opened this issue Sep 27, 2018 · 0 comments

Comments

@arusso
Copy link

arusso commented Sep 27, 2018

Describe the bug
When configuring okta auth backend using using the token key to store the api token, as described in the web documentation[1], the backend is not successfully configured.

Reviewing the path-help output[2] for the config path, it seems the token parameter has been deprecated which suggests it should still work even if it's deprecated. Using the api_token value instead along with updating the remaining keys (ie. organization -> org_name) resolves the issue.

To Reproduce
Steps to reproduce the behavior:

  1. Run vault write auth/okta/config base_url=<baseurl> org_name=<org> token=<token>
  2. Run vault login -method=okta username=arusso
  3. See error message saying invalid token:
 vault login -method=okta username=arusso
Password (will be hidden):
Error authenticating: Error making API request.

URL: PUT https://vault.example.com:8200/v1/auth/okta/login/arusso
Code: 400. Errors:

* okta failure retrieving groups: HTTP Method: GET - URL: https://<org_name>.<base_url>/api/v1/users/SANITIZED/groups: - HTTP Status Code: 401, OKTA Error Code: E0000011, OKTA Error Summary: Invalid token provided, OKTA Error Causes:
[]

Expected behavior
Token should have been properly stored with a deprecation warning against the use of an old key or documentation should be updated accordingly.

Environment:

  • Vault Server Version (retrieve with vault status): 0.11.0
  • Vault CLI Version (retrieve with vault version): Vault v0.11.0 ('87492f9258e0227f3717e3883c6a8be5716bf564')
  • Server Operating System/Architecture: NA

Vault server configuration file(s): Doesn't appear relevant

Additional context
[1] Web Documentation: https://www.vaultproject.io/docs/auth/okta.html
[2] vault path-help auth/okta/config selected output:

...
## PARAMETERS

    api_token (string)
        Okta API key.

    base_url (string)
        The base domain to use for the Okta API. When not specified in the configuration, "okta.com" is used.

    bypass_okta_mfa (bool)
        When set true, requests by Okta for a MFA check will be bypassed. This also disallows certain status checks on the account, such as whether the password is expired.

    max_ttl (duration (sec))
        Maximum duration after which authentication will be expired

    org_name (string)
        Name of the organization to be used in the Okta API.

    organization (string)
        (DEPRECATED) Okta organization to authenticate against. Use org_name instead.

    production (bool)
        (DEPRECATED) Use base_url.

    token (string)
        (DEPRECATED) Okta admin API token.  Use api_token instead.

    ttl (duration (sec))
        Duration after which authentication will be expired
...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@arusso