Integration Testing and MFA

dotnet
api

#1

My original post regarding integration testing is here: [Unit Testing and Implicit Flow]

This worked great when I was “in network”. The VSTS builds and releases run outside of the network and trigger MFA.

Is there a way I can answer the MFA questions programmatically using c# for integration testing?


#2

Hi @glenndorr ,

Not sure this will help specifically with your use case, but this page contains a video, a Postman collection, and instructions on how to consume/validate MFA via APIs.

https://developer.okta.com/use_cases/mfa/


#3

Thanks @frederico.hakamine,

I have read that article…That process allows you to verify the MFA for a user given an API token. I don’t think it addresses being able to respond to a MFA during integration testing. I can’t ask for an API token because including that in a build process would leak to much power.

I call authn and that returns a code that I can use to call authenticate and that in turn responses with an id_token in the redirect url IF you are in network for our sso enabled OKTA instance.

Because the process is running during a build, it has to be headless.


#4

@vijet or @lboyette or @jmelberg, any suggestions?


#5

@glenndorr: Since Okta APIs are not OAuth enabled, you’ll still have to use an API Token to verify a factor. I’d suggest exploring ways to encrypt the API Token in your build process and use that to call the factors API.

@robertjd, @jmelberg, @bdemers, @bretterer - Any thoughts?


#6

Hi @glenndorr, is the issue here that you need to respond to an MFA challenge during an authentication flow in an IT test?


#7

@robertjd Yes! That is correct


#8

In that case I would recommend using a TOTP factor for your test user in your test flow. In this case you only need to put the shared secret for the factor in your test environment, then you can use that shared secret to generate TOTP pass codes when challenged. I think you’re in .NET land? In node-land I’ve been using this library to generate codes https://github.com/speakeasyjs/speakeasy


#9

Thank you @robertjd.

So I call authn with userid and password. returns a challenge with this (obfuscated) content

{{
  "stateToken": "the state token",
  "expiresAt": "2018-03-06T22:49:02Z",
  "status": "MFA_REQUIRED",
  "_embedded": {
    "user": {
      "id": "the user id",
      "profile": {
        "login": "The login",
        "firstName": "first name",
        "lastName": "last name",
        "locale": "en",
        "timeZone": "America/Los_Angeles"
      }
    },
    "factors": [
      {
        "id": "factor id",
        "factorType": "question",
        "provider": "OKTA",
        "vendorName": "OKTA",
        "profile": {
          "question": "the question,
          "questionText": "the question text"
        },
        "_links": {
          "verify": {
            "href": "https://our sub domain.okta.com/api/v1/authn/factors/default/verify",
            "hints": {
              "allow": [
                "POST"
              ]
            }
          }
        }
      }
    ],
    "policy": {
      "allowRememberDevice": true,
      "rememberDeviceLifetimeInMinutes": 120,
      "rememberDeviceByDefault": false
    }
  },
  "_links": {
    "cancel": {
      "href": "https://our sub domain.okta.com/api/v1/authn/cancel",
      "hints": {
        "allow": [
          "POST"
        ]
      }
    }
  }
}}

what are you suggesting next?


#10

Solved it! I’ll clean up the code and post something on Monday. Maybe you guys can reformat it and put up a blog on it.