client

package
v1.1.6 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 13, 2022 License: MIT Imports: 13 Imported by: 0

Documentation

Overview

Client for making requests to Okta APIs

Index

Constants

View Source 
const (
	Timeout = time.Duration(60 * time.Second)

	StatusPasswordExpired = "PASSWORD_EXPIRED"
	StatusMFARequired     = "MFA_REQUIRED"
)
View Source 
const (
	// OktaServerUs is the united states region okta domain
	OktaServerUs = "okta.com"

	// OktaserverEmea is the europe, middle east and africa region okta domain
	OktaServerEmea = "okta-emea.com"

	// OktaserverPreview is the preview domain for testing future okta releases
	OktaServerPreview = "oktapreview.com"
)

Variables

This section is empty.

Functions

func GetOktaDomain 

func GetOktaDomain(region string) (string, error)

GetOKtaDomain looks up the okta domain based on the region. For example, the okta domain for "us" is `okta.com` making your api domain as `<your-org>.okta.com`

Types

type MFAInputs 

type MFAInputs interface {
	ChooseFactor(factors []mfa.Config) (int, error)
	CodeSupplier(factor mfa.Config) (string, error)
}

type OktaClient 

type OktaClient struct {
	DuoClient *lib.DuoClient
	BaseURL   *url.URL
	// contains filtered or unexported fields
}

func NewOktaClient 

func NewOktaClient(
	creds OktaCredential,
	sessions SessionCache,
	selector MFAInputs,
	opts *OktaClientOptions) (*OktaClient, error)

Creates and initializes an OktaClient. This is intended to provide a simple way to create a client that can make requests to the Okta APIs.

As an example for how a client might be used: This client can then be passed to a provider that will manage auth for other platforms. Currently AWS SAML provider is supported to get STS credentials to get access to AWS services.

Supported configuration options: 

TODO: expand on configuration options and add tests.

-- proxy config: TBD -- session caching: Passing in a keyring will enable support for caching. 

     this will cache a valid okta session securely in the keyring. This
			session is only for access to the Okta APIs, any additional sessions
			(for example, aws STS credentials) will be cached by the provider that
     creates them.

func (*OktaClient) AuthenticateUser 

func (o *OktaClient) AuthenticateUser() (err error)

Will authenticate a user and create a new session. Depending on how the Okta domain is configured MFA may be requested. Authentication flow supports several different MFA types including:

SMS: Okta will send an SMS to the user that includes a code that needs to be 

sent back as the verify step.

PUSH: Either OKTA verify or DUO are supported. U2F: a u2f hardware token, eg. Yubikey

TODO: document full list of MFA supported and create tests

More details about the auth flow implemented by this client can be found in Okta documentation: https://developer.okta.com/docs/reference/api/authn

func (*OktaClient) ClearMFADevices 

func (o *OktaClient) ClearMFADevices()

ClearMFADevices will remove all MFA device implementations. This will break MFA verification unless new devices are added after this call.

func (*OktaClient) GetSessionToken 

func (o *OktaClient) GetSessionToken() string

Public interface to get the Okta session token.

func (*OktaClient) GetURL 

func (o *OktaClient) GetURL(path string) (fullURL *url.URL, err error)

helper function to get a url, including path, for an Okta api or app.

func (*OktaClient) RegisterMFADeviceType 

func (o *OktaClient) RegisterMFADeviceType(device mfa.Device)

RegisterMFADeviceType will add an implementation of mfa.Device that can be used during authentication.

func (*OktaClient) Request 

func (o *OktaClient) Request(method string, path string, queryParams url.Values, data []byte, format string, followRedirects bool) (res *http.Response, err error)

Makes a request to Okta.

Supports Core okta APIs or Okta apps that extend the Okta functionaliy.

Options: -- method. the http method to use. -- path. the url path to use. -- queryParams. the query parameters to use in the request. -- data. the data that will be sent as part of the request body. -- format. use to set the encoding format header. -- followRedirects. will change the http client configuration to follow 

redirects or not.

TODO: refactor this method signature to clarify the interface. something like: -- method. -- url.URL (including RawParams). -- requestBody. -- clientOptions. this would include things like encoding and follow redirects

func (*OktaClient) ValidateSession 

func (o *OktaClient) ValidateSession() error

Sends a request to the Okta Sessions API to validate if the session cookie is valid or not. This doesn't always mean that the session can be used for all Okta applications but it does accurately fetch the state of the session.

type OktaClientOptions 

type OktaClientOptions struct {
	// user supplied http client. If passed in this will replace the default
	HTTPClient *http.Client
	// http client timeout. default 60s
	HTTPClientTimeout *time.Duration
}

type OktaCredential 

type OktaCredential struct {
	Username string
	Password string
	Domain   string
	MFA      mfa.Config
}

type: OktaCredential struct stores Okta credentials and domain information that will be used by OktaClient when making API calls to Okta

func (*OktaCredential) Validate 

func (c *OktaCredential) Validate() error

Checks the validity of OktaCredential and should be called before using the credentials to make API calls.

This public method will only validate that credentials exist, it will NOT validate them for correctness. To validate correctness an OktaClient must be used to make a request to Okta.

type SessionCache 

type SessionCache interface {
	Get(key string) ([]byte, error)
	Put(key string, data []byte, label string) error
}

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.