You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A user who attempts to retrieve session keys using keyconjurer get may receive the error:
Error: failed to fetch SAML assertion
Reproduction steps
Have a user log into KeyConjurer.
Entitle the user to a new AWS application.
Have the user run keyconjurer accounts.
Have the user run keyconjurer get [account name of new application].
Okta may reject a request to exchange tokens using token exchange flow. If it does, the error is silently dropped, and the code continues, ultimately submitting an empty Oauth2 token to the SAML assertion endpoint, which results in the above error.
Resolution
Return an ErrUnauthorized error to the end-user if this occurs during the token exchange endpoint. It's not clear if the response code from Okta is HTTP 500, HTTP 403 or simply a non-200 HTTP response code; Standards indicate that the response code should be HTTP 400. We will simply treat any non-200 status code as an unauthorized error.
The text was updated successfully, but these errors were encountered:
punmechanic
added a commit
to punmechanic/Key-conjurer
that referenced
this issue
Jul 11, 2024
Description
A user who attempts to retrieve session keys using
keyconjurer get
may receive the error:Reproduction steps
keyconjurer accounts
.keyconjurer get [account name of new application]
.Okta may reject a request to exchange tokens using token exchange flow. If it does, the error is silently dropped, and the code continues, ultimately submitting an empty Oauth2 token to the SAML assertion endpoint, which results in the above error.
Resolution
Return an
ErrUnauthorized
error to the end-user if this occurs during the token exchange endpoint. It's not clear if the response code from Okta is HTTP 500, HTTP 403 or simply a non-200 HTTP response code; Standards indicate that the response code should be HTTP 400. We will simply treat any non-200 status code as an unauthorized error.The text was updated successfully, but these errors were encountered: