I work for a large company (50K+). Some orgs within the company use OKTA for auth on their servers. I have a valid user login (via OKTA) for the servers, and can log in through a browser without any issues, but want to access this site programatically.
How can I log into these websites using my OKTA credentials? I’ve found this doc: https://developer.okta.com/docs/reference/api/oidc/#authorize that details how to use an OKTA endpoint, but it requires some info that I do not have. Namely, nonce, state, and client_id. I have no clue how to get this info.
I’ve found another endpoint that allows a similar login method, but only requires username and password (I forget the doc that referenced this): https://<company>.okta.com/api/v1/authn
I am able to successfully authenticate with OKTA using this endpoint, and receive a session_token . Can I take this session_token and apply it to my arbitrary webpage somehow? I can not find any documentation that says so.
At first glance it appears that many of the API endpoints for OKTA require intimate knowledge of the hosted application (and/or are not meant to be accessed programmatically).
Is it possible to programmatically log into an arbitrary webpage that uses OKTA for authentication, with only knowledge that an end user would have (username/password/optional MFA)?
If you are attempting to automate logging a test user into a certain application, then you will need to know, in addition to the Okta subdomain used in the /authn, the client ID for the OIDC application (provided we’re talking about testing with OIDC apps) as well as the allowed OIDC grant type (Implicit, Authorization Code flow, etc).
You can automate logging into OIDC applications by taking the session_token returned from the /authn call and including it as a parameter in the /authorize call you make for your application, as noted in the documentation for this endpoint: https://developer.okta.com/docs/reference/api/oidc/#request-parameters.
As far as the nonce and state are concerned, these parameters exist as security features. The nonce is used to mitigate replay attacks while the state token can be used by the client application to remember the state of its interaction with the end user at the time of the authentication call, per https://developer.okta.com/docs/reference/api/oidc/#request-parameters. These values can just be randomly generated in your tests, which you’ll find that the Sign In Widget does by default: https://github.com/okta/okta-signin-widget#openid-connect.
I’d advise taking a look at this post that discusses automating logins where Dragos has provided some example curl commands: Automating Authorization Code Flow