Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Users with unauthorized sessions receive cryptic error when retrieving keys #111

Open
punmechanic opened this issue Jul 11, 2024 · 1 comment
Open

Users with unauthorized sessions receive cryptic error when retrieving keys #111

punmechanic opened this issue Jul 11, 2024 · 1 comment

Comments

@punmechanic
Copy link
Member

Description

A user who attempts to retrieve session keys using keyconjurer get may receive the error:

Error: failed to fetch SAML assertion

Reproduction steps

  1. Have a user log into KeyConjurer.
  2. Entitle the user to a new AWS application.
  3. Have the user run keyconjurer accounts.
  4. Have the user run keyconjurer get [account name of new application].

Okta may reject a request to exchange tokens using token exchange flow. If it does, the error is silently dropped, and the code continues, ultimately submitting an empty Oauth2 token to the SAML assertion endpoint, which results in the above error.

Resolution

Return an ErrUnauthorized error to the end-user if this occurs during the token exchange endpoint. It's not clear if the response code from Okta is HTTP 500, HTTP 403 or simply a non-200 HTTP response code; Standards indicate that the response code should be HTTP 400. We will simply treat any non-200 status code as an unauthorized error.
punmechanic added a commit to punmechanic/Key-conjurer that referenced this issue Jul 11, 2024
@punmechanic
Resolves RiotGames#111
f59d340
punmechanic added a commit to punmechanic/Key-conjurer that referenced this issue Jul 11, 2024
@punmechanic
Resolves RiotGames#111
c6e7338
@MKokeshi
Copy link

MKokeshi commented Aug 8, 2024

Problem:

Users may encounter the following error when retrieving session keys using KeyConjurer:

Error: failed to fetch SAML assertion

This error arises because:

  • Okta might reject the token exchange request.
  • The error is not properly handled, leading to an empty OAuth2 token being submitted, which then fails during the SAML assertion process.

Reproduction Steps:

  1. Log into KeyConjurer.
  2. Entitle the user to a new AWS application.
  3. Run keyconjurer accounts.
  4. Run keyconjurer get [account name of new application].

Resolution:

  1. Error Handling in Token Exchange Endpoint:

    • Return an ErrUnauthorized error if a failure occurs during the token exchange process.
    • Treat any non-200 HTTP response code from Okta (e.g., HTTP 500, HTTP 403) as an authorization error.

  2. Implementation:

    • Check the HTTP status code from Okta.
    • If the status code is not 200, respond with an ErrUnauthorized error.
    • Ensure proper error handling to avoid empty OAuth2 tokens being used.

This approach ensures that users receive clear and actionable error messages when the token exchange fails.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@punmechanic @MKokeshi