v1.1.6 Latest Latest

This package is not in the latest version of its module.

Go to latest
Published: Jul 13, 2022 License: MIT Imports: 13 Imported by: 0



Client for making requests to Okta APIs



View Source
const (
	Timeout = time.Duration(60 * time.Second)

	StatusPasswordExpired = "PASSWORD_EXPIRED"
	StatusMFARequired     = "MFA_REQUIRED"
View Source
const (
	// OktaServerUs is the united states region okta domain
	OktaServerUs = ""

	// OktaserverEmea is the europe, middle east and africa region okta domain
	OktaServerEmea = ""

	// OktaserverPreview is the preview domain for testing future okta releases
	OktaServerPreview = ""


This section is empty.


func GetOktaDomain

func GetOktaDomain(region string) (string, error)

GetOKtaDomain looks up the okta domain based on the region. For example, the okta domain for "us" is `` making your api domain as `<your-org>`


type MFAInputs

type MFAInputs interface {
	ChooseFactor(factors []mfa.Config) (int, error)
	CodeSupplier(factor mfa.Config) (string, error)

type OktaClient

type OktaClient struct {
	DuoClient *lib.DuoClient
	BaseURL   *url.URL
	// contains filtered or unexported fields

func NewOktaClient

func NewOktaClient(
	creds OktaCredential,
	sessions SessionCache,
	selector MFAInputs,
	opts *OktaClientOptions) (*OktaClient, error)

Creates and initializes an OktaClient. This is intended to provide a simple way to create a client that can make requests to the Okta APIs.

As an example for how a client might be used: This client can then be passed to a provider that will manage auth for other platforms. Currently AWS SAML provider is supported to get STS credentials to get access to AWS services.

Supported configuration options:

TODO: expand on configuration options and add tests.

-- proxy config: TBD -- session caching: Passing in a keyring will enable support for caching.

     this will cache a valid okta session securely in the keyring. This
			session is only for access to the Okta APIs, any additional sessions
			(for example, aws STS credentials) will be cached by the provider that
     creates them.

func (*OktaClient) AuthenticateUser

func (o *OktaClient) AuthenticateUser() (err error)

Will authenticate a user and create a new session. Depending on how the Okta domain is configured MFA may be requested. Authentication flow supports several different MFA types including:

SMS: Okta will send an SMS to the user that includes a code that needs to be

sent back as the verify step.

PUSH: Either OKTA verify or DUO are supported. U2F: a u2f hardware token, eg. Yubikey

TODO: document full list of MFA supported and create tests

More details about the auth flow implemented by this client can be found in Okta documentation:

func (*OktaClient) ClearMFADevices

func (o *OktaClient) ClearMFADevices()

ClearMFADevices will remove all MFA device implementations. This will break MFA verification unless new devices are added after this call.

func (*OktaClient) GetSessionToken

func (o *OktaClient) GetSessionToken() string

Public interface to get the Okta session token.

func (*OktaClient) GetURL

func (o *OktaClient) GetURL(path string) (fullURL *url.URL, err error)

helper function to get a url, including path, for an Okta api or app.

func (*OktaClient) RegisterMFADeviceType

func (o *OktaClient) RegisterMFADeviceType(device mfa.Device)

RegisterMFADeviceType will add an implementation of mfa.Device that can be used during authentication.

func (*OktaClient) Request

func (o *OktaClient) Request(method string, path string, queryParams url.Values, data []byte, format string, followRedirects bool) (res *http.Response, err error)

Makes a request to Okta.

Supports Core okta APIs or Okta apps that extend the Okta functionaliy.

Options: -- method. the http method to use. -- path. the url path to use. -- queryParams. the query parameters to use in the request. -- data. the data that will be sent as part of the request body. -- format. use to set the encoding format header. -- followRedirects. will change the http client configuration to follow

redirects or not.

TODO: refactor this method signature to clarify the interface. something like: -- method. -- url.URL (including RawParams). -- requestBody. -- clientOptions. this would include things like encoding and follow redirects

func (*OktaClient) ValidateSession

func (o *OktaClient) ValidateSession() error

Sends a request to the Okta Sessions API to validate if the session cookie is valid or not. This doesn't always mean that the session can be used for all Okta applications but it does accurately fetch the state of the session.

type OktaClientOptions

type OktaClientOptions struct {
	// user supplied http client. If passed in this will replace the default
	HTTPClient *http.Client
	// http client timeout. default 60s
	HTTPClientTimeout *time.Duration

type OktaCredential

type OktaCredential struct {
	Username string
	Password string
	Domain   string
	MFA      mfa.Config

type: OktaCredential struct stores Okta credentials and domain information that will be used by OktaClient when making API calls to Okta

func (*OktaCredential) Validate

func (c *OktaCredential) Validate() error

Checks the validity of OktaCredential and should be called before using the credentials to make API calls.

This public method will only validate that credentials exist, it will NOT validate them for correctness. To validate correctness an OktaClient must be used to make a request to Okta.

type SessionCache

type SessionCache interface {
	Get(key string) ([]byte, error)
	Put(key string, data []byte, label string) error


Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL