Accessing okta protected URL from linux shell

bvandesteeg · March 16, 2022, 3:19pm

Hi all,

This has probably been asked 1000 times but I cannot find a good example of how to curl an okta protected URL.

I have the okta_authn_mfa.sh script and it works, showing me stateToken, sessionToken and sessionId.

Next step is the tricky one: using one of the Tokens and/or sessionId in a redirectURL. I tried something like this:

curl https://{okta-url}/login/sessionCookieRedirect?token={sessionToken from okta_authn_mfa.sh}&redirectUrl={redirect URL}
…but getting a “Bad request” back.

Can someone point me in the good direction? With example if possible

louie · March 17, 2022, 6:12pm

Are you receiving any additional information in the 400 Bad Request error?

bvandesteeg · March 18, 2022, 7:25am

Hi @louie and thanks for responding. This is the result the okta_auth shell script:

./okta_authn_mfa.sh -u bvandesteeg -o ************** Enter Password for bvandesteeg on https://************.okta-emea.com:

Doing primary authentication…
Congratulations! You got a stateToken: 00OhQ8*****************d0rIcWA_R6x. That’s used in a multi-step authentication flow, like MFA.

Sending Okta Verify push notification…
Polling for push approve…
Polling for push approve…
Congratulations! You got a sessionToken: 201113****************-2RyOpILL8yMW-_. That will be exchanged for a sessionId next.
Exchanging sessionToken for sessionId…
Congratulations! You’ve established a session with https://*************.okta-emea.com. Here’s your sessionId: 1027yjQl**************0A

Then the curl action:

<html>
<head>
<meta http-equiv=“Content-Type” content=“text/html; charset=UTF-8”>
<meta name=“viewport” content=“width=device-width, initial-scale=1.0” />
<meta name=“robots” content=“noindex,nofollow” />
<title>*************** - Bad Request
<link rel=“stylesheet” type=“text/css” href="/assets/css/sections/errors-v2.css">
<!-- Styles generated from theme →
<link href="/api/internal/brand/theme/style-sheet?touch-point=ERROR_PAGE&v=1c27*********\b5050be" rel=“stylesheet” type=“text/css”>
<!-- Favicon from theme →
<link rel=“shortcut icon” href="/favicon.ico" type=“image/x-icon”/>
</head>
<body>
<div class=“login-bg-image tb–background” style=“background-image: url(‘https://eu************.com/fs/bco/7/fs0j0*******l0i6’)”>
<div class=“widget”>
<div class=“container”>
<div class=“header”>
<img alt="**********" src=“https://*********.com/fs/bco/1/fs0*********7” class=“org-logo”>
</div>
<div class=“illustration”>
<!-- Show HTTP error code if exists →
<div class=“error-code”>400
<!-- Show generic error image if not →
</div>
<div class=“content”>
<h2 class=“o-form-title”>Bad Request
<p class=“o-form-explain”>Your request resulted in an error.

<a href="/" class=“button tb–button”>Go to Homepage
</div>
</div>
</div>
</body>
</html>NONE

It does not matter if I used the stateToken, sessionToken or sessionId. In all cases I get the same. Also the prompt is not being returned. I have to give an enter or ctrl-c.

Any clue?