When is the "authenticator-verification-data" remediation type required?

nshenoy · January 3, 2024, 11:12pm

Hello!

We have a CLI that is using Okta IDX to authenticate users.

We use the Okta IDX Golang library to interact with Okta and retrieve the user’s tokens.

In some cases, during invocation of the Okta Verify prompts, rather than receiving a challenge-poll remediation option, we receive an authenticator-verification-data remediation option as below:

{
    "rel": [
        "create-form"
    ],
    "type": "",
    "idp": {
        "id": "",
        "name": ""
    },
    "name": "authenticator-verification-data",
    "href": "https://<OKTA_URL>/idp/idx/challenge",
    "method": "POST",
    "value": [
        null,
        "<TOKEN>"
    ],
    "accepts": "application/json; okta-version=1.0.0"
}

I don’t see any documentation for this remediation type, and the Go library doesn’t seem to support it.

I’ve looked at libraries for other languages (namely the Okta JavaScript library) but could not put my finger on what exactly the authenticator-verification-data remediation option is. Some more information about this step would be very helpful.

I would also like to know when and why the authenticator-verification-data is required, i.e, what state does a user’s account need to be in to require this remediation?

Thank you!

nshenoy · January 4, 2024, 1:02am

The whole authenticator-verification-data response:

{
    "version": "1.0.0",
    "stateHandle": "<state_handle>",
    "expiresAt": "2024-01-02T20:16:34.000Z",
    "intent": "LOGIN",
    "remediation": {
        "type": "array",
        "value": [
            {
                "rel": [
                    "create-form"
                ],
                "type": "",
                "idp": {
                    "id": "",
                    "name": ""
                },
                "name": "authenticator-verification-data",
                "href": "https://<okta_url>/idp/idx/challenge",
                "method": "POST",
                "value": [
                    null,
                    "<state_handle>"
                ],
                "accepts": "application/json; okta-version=1.0.0"
            },
            {
                "rel": [
                    "create-form"
                ],
                "type": "",
                "idp": {
                    "id": "",
                    "name": ""
                },
                "name": "select-authenticator-authenticate",
                "href": "https://<okta_url>/idp/idx/challenge",
                "method": "POST",
                "value": [
                    null,
                    "<state_handle>"
                ],
                "accepts": "application/json; okta-version=1.0.0"
            }
        ]
    },
    "currentAuthenticator": {
        "type": "object",
        "value": {
            "contextualData": null,
            "recover": null,
            "type": "app",
            "key": "okta_verify",
            "id": "<authenticator_id_2>",
            "displayName": "Okta Verify",
            "methods": [
                {
                    "type": "push"
                }
            ]
        }
    },
    "authenticators": {
        "type": "array",
        "value": [
            {
                "type": "app",
                "key": "okta_verify",
                "id": "<authenticator_id_2>",
                "displayName": "Okta Verify",
                "credentialId": "",
                "methods": [
                    {
                        "type": "push"
                    },
                    {
                        "type": "totp"
                    }
                ]
            }
        ]
    },
    "authenticatorEnrollments": {
        "type": "array",
        "value": [
            {
                "type": "app",
                "key": "okta_verify",
                "id": "<authenticator_id_1>",
                "displayName": "Okta Verify",
                "credentialId": "",
                "methods": [
                    {
                        "type": "push"
                    },
                    {
                        "type": "totp"
                    }
                ]
            }
        ]
    },
    "user": {
        "type": "object",
        "value": {
            "id": "<user_id>"
        }
    },
    "cancel": {
        "rel": [
            "create-form"
        ],
        "type": "",
        "idp": {
            "id": "",
            "name": ""
        },
        "name": "cancel",
        "href": "<okta_url>/idp/idx/cancel",
        "method": "POST",
        "value": [
            "<state>"
        ],
        "accepts": "application/json; okta-version=1.0.0"
    },
    "successWithInteractionCode": null,
    "currentAuthenticatorEnrollment": null,
    "app": {
        "type": "object",
        "value": {
            "name": "oidc_client",
            "label": "<label>",
            "id": "<client_id>"
        }
    },
    "messages": null
}