Okta not remembering the device, causing infinite loop

[resnikb]

Hi,
I use Okta with Okta push. When I have sessions enabled, the first call goes through the whole workflow and saves the session cookie. However, the next call causes saml2aws to hang, in an infinite loop. Using --verbose parameter shows that it is continuously cycling through authWithSession -> follow -> Authenticate -> authWithSession ...

I debugged the application, and the main issue seems to be that the call to verifyMfa passes rememberDevice property only in the body of the request - however, according to Okta documentation, this should be a query parameter. The existing code works when the verification link in the Okta response contains rememberDevice parameter. However, this was not always the case for me (I'm not sure why).

I have verified this by modifying the oktaVerify code getMfaChallengeContext method to do

    if !strings.Contains(oktaVerify, "rememberDevice") {
        separator := "?"
        if strings.Contains(oktaVerify, "?") {
            separator = "&"
        }
        oktaVerify = oktaVerify + separator + "rememberDevice=" + strconv.FormatBool(oc.rememberDevice)
    }

After this change, the device is remembered and the infinite loop doesn't happen.

I'm happy to submit a PR with the above change - but please be warned that I'm a complete Go newbie.

[resnikb]

On further experimentation, there is another issue - but this one happens when the Okta push needs to be activated again (after 24h in my case). When that happens, the code path in the follow method which checks which response was received, falls into the else branch and initiates another call to loginDetails.URL - however, this time it does it as a new request and does not preserve any existing cookies - in particular, the Okta session cookie is not used.

The response received here explicitly clears the sesion cookie in the cookie jar, which then causes an infinite loop again.
If the session cookie is preserved in this call, then it is passed on as part of primary authentication, and I receive Okta push - and saml2aws works fine from there.

In my workaround, I just replaced the call to http.NewRequest with in-place modification of req - but I don't know if that is the right thing to do:

		req.URL, err = url.Parse(loginDetails.URL)
		if err != nil {
		  return "", errors.Wrap(err, "error building app request")
		}
		req.Method = "GET"
		req.Body = nil

[cwalkatron]

I'm not sure if it's the same bug, but I have Okta+Duo and if Duo part of the flow, but not required because of Okta policy, it looks like saml2aws gets in a loop here as well.

[wolfeidau]

Yeah I have also run into this now, @resnikb great work debugging it I will try your fix and see how it works.