In my application, we are using OKTA login with MFA factor (PUSH) and I want to add an extra security check correct answer feature in that. Trying to fetch "correctAnswer" from "AuthenticationResponse" but unfortunately, it's throwing an error as Error: "Unresolved reference: correctAnswer"

        val oktaAuthStatus = loginResponse?.authData as? AuthenticationResponse
        val oktaVerifyNumber = oktaAuthStatus?.correctAnswer

SDK Version

okta_sdk_Api = "2.0.0" okta_sdk_impl = "2.0.0" okta_sdk_okhttp = "2.0.0"

Describe the bug?

Hello , I am trying to mfa enrollement for a new user , the method take parameters are availables fro factor ans state token but cant get FactorProfile . regards

What is expected to happen?

get FACTOR PROFILE

What is the actual behavior?

not able to get FactorProfile

Reproduction Steps?

enrollement sms and email

Additional Information?

No response

SDK Version

1.2.1

Build Information

:1.2.1

For some reason com.okta.sdk.ds.DataStore#instantiate method cannot do work for DefaultAuthenticationResponse resource.

Error: java.lang.NoSuchMethodException: com.okta.authn.sdk.impl.resource.DefaultAuthenticationResponse.<init>(com.okta.sdk.impl.ds.InternalDataStore)

When I updated okta-sdk-okhttp version to 1.6.0 application crashing.

implementation "com.okta.sdk:okta-sdk-okhttp:1.6.0"

Logs:

Caused by: java.lang.NoSuchFieldError: No static field INSTANCE of type Lorg/apache/http/conn/ssl/AllowAllHostnameVerifier; in class Lorg/apache/http/conn/ssl/AllowAllHostnameVerifier; or its superclasses (declaration of 'org.apache.http.conn.ssl.AllowAllHostnameVerifier' appears in /system/framework/framework.jar!classes3.dex) 
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.<clinit>(SSLConnectionSocketFactory.java:149) 
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.getSocketFactory(SSLConnectionSocketFactory.java:183) 
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.getDefaultRegistry(PoolingHttpClientConnectionManager.java:115) 
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.<init>

I didn't get proper documentation with this latest version, Can you please help to resolve this.

Hi Team,

I am looking to authenticate staged user. The use case, we have of an existing applications where we are moving away from current IDP to Okta. We have flow like below;

1. User self registers to the application online (No Okta interaction at this time). It creates a registration request, which needs to be reviewed and approved by staff.
2. Internal staff reviews and approves the request through intranet based internal application (based on certain legal requirements). On approval, we are creating Okta user with staged status. As part of approval, the email is triggered to end user to complete the registration to the site - which includes setting user profile in our datastore and then activate the User in Okta.
3. The okta user creation in step # 2 includes temp password, which needs to be authenticated by user. Only after that, user will setup permanent password of his choice to make user creation complete. That's where, we are calling auth API call with User id & Pwd of staged user, which is failing. If we change the status as active (through OKTA site) - auth call works as expected. So we need to auth user in a case, where it's status is staged.

Please guide, if we are doing something wrong here.

Vivek Bedekar

Here are my deps in gradle

    implementation 'com.okta.authn.sdk:okta-authn-sdk-api:1.0.0'
    runtimeOnly 'com.okta.authn.sdk:okta-authn-sdk-impl:1.0.0'
    runtimeOnly 'com.okta.sdk:okta-sdk-okhttp:1.5.2'

and my code

val mOktaAuth = AuthenticationClients.builder().setOrgUrl("https://app-api.okta.com").build()

mOktaAuth.authenticate(emailText.text.toString(), passwordText.text.toString().toCharArray(), "/application/specific", x)

x being my AuthenticationStateHandlerAdapter

and the error I get every time is 
`com.okta.sdk.impl.http.RestException: Unable to execute HTTP request: null`

What is the correct way of making the following call via the auth sdk?

curl -v -X POST \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "Authorization: SSWS ${api_token}" \
-H "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36" \
-d '{
  "username": "[email protected]"
}' "https://${yourOktaDomain}/api/v1/authn/recovery/password"

The 3 approaches below all result in com.okta.sdk.resource.ResourceException: HTTP 403, Okta E0000006 (You do not have permission to perform the requested action), ErrorId oaeKo877F3cSvuSpMIaOBx60g

1

AuthenticationResponse authResponse = authenticationClient.recoverPassword("[email protected]", null, null, null);

2

AuthenticationResponse authResponse = authenticationClient.recoverPassword(authenticationClient
		.instantiate(RecoverPasswordRequest.class)
		.setUsername("[email protected]"), null);

3

ExtensibleResource body = authenticationClient.instantiate(ExtensibleResource.class);
body.put("username", "[email protected]");
AuthenticationResponse authResponse = authenticationClient
		.getDataStore().http().setBody(body).post("/api/v1/authn/recovery/password",
				AuthenticationResponse.class);

Getting following exception when migrating to okta-sdk-java 2.0.

<okta.version>2.0.0</okta.version>
<okta.auth.version>1.0.0</okta.auth.version>

Caused by: java.lang.NoClassDefFoundError: com/okta/sdk/lang/Classes
	at com.okta.authn.sdk.client.AuthenticationClients.builder(AuthenticationClients.java:43) ~[okta-authn-sdk-api-1.0.0.jar:1.0.0]
	at com.example.demo.OktaClientService.setup(OktaClientService.java:81) ~[classes/:na]
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_241]
	at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) ~[na:1.8.0_241]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) ~[na:1.8.0_241]
	at java.lang.reflect.Method.invoke(Unknown Source) ~[na:1.8.0_241]

Hi There,

Firstly, I am comparing this with okta-sdk-java api as both APIs as necessary for our Legacy Spring Boot based integration with Okta. We are moving away from our current IS / SSO provider to Okta. To minimize the migration efforts, we are leveraging both these APIs where in :

1. We are getting com.okta.sdk.client.Client bean injected directly through OktaSdkConfig for SDK api - which takes care of configuring client pointing to below properties okta.client.token=yyyyyyy okta.client.orgUrl=https://xxxxx.oktapreview.com

2. There is nothing similar to get com.okta.authn.sdk.client.AuthenticationClient bean like OktaSdkConfig in auth API. Hence when, we use

@Bean public AuthenticationClient getOktaAuthenticationClient() { return AuthenticationClients.builder().build(); } it doesn't pick up the the Org URL & token configured in app.prop file and fails with threw exception; nested exception is java.lang.IllegalArgumentException: Okta org url must not be null.

Am I missing something ? I am using 1.0.0 version. API docs says - your prop files needs to be configured as above. Please guide.

Issue

OKTA-312681

Description

Upgrade okta-auth-java SDK to major release version 2.0.0 to align with the recent Java Mgmt SDK v2.0.0 upgrade.

Category

• [ ] Bugfix
• [ ] Enhancement
• [x] Version Upgrade
• [ ] New Feature
• [ ] Configuration Change
• [ ] Versioning Change
• [ ] Unit Test(s)
• [ ] Documentation

It would be helpful if there was an AuthenticationBuilder, similar to the UserBuilder of the okta-sdk-api.

If one wants to create an authentication proxy or broker application, they need to craft their own AuthenticationRequest with a context (deviceToken) and options. So, the client.authenticate(username, password, relayState, handler) method doesn't cut it.

Also, I believe we'd need a way to set the User-Agent and X-Forwarded-For headers on each request. (Perhaps this should be a separate issue.)

Bumps springboot.version from 2.7.5 to 3.0.1. Updates spring-boot-starter-thymeleaf from 2.7.5 to 3.0.1

Updates spring-boot-starter-web from 2.7.5 to 3.0.1

Updates spring-boot-starter-test from 2.7.5 to 3.0.1

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Bumps logback-classic from 1.3.4 to 1.4.5.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

:information_source: If you have a question, please post it on the Okta Developer Forum instead. Issues in this repository are reserved for bug reports and feature requests only.

I'm submitting a

• [x] bug report
• [ ] feature request

Background info

When updating SDK versions we noticed the appearance of a new crash originating in the Okta SDK (stack trace below). It only impacts users on Android 7.

Fatal Exception: java.lang.NoClassDefFoundError: Failed resolution of: Ljava/time/format/DateTimeFormatter;
       at com.okta.commons.http.RequestUtils.<clinit>(RequestUtils.java:32)
       at com.okta.commons.http.RequestUtils.fetchHeaderValueAndRemoveIfPresent(RequestUtils.java:93)
       at com.okta.commons.http.okhttp.OkHttpRequestExecutor.executeRequest(OkHttpRequestExecutor.java:122)
       at com.okta.commons.http.RetryRequestExecutor.doExecuteRequest(RetryRequestExecutor.java:147)
       at com.okta.commons.http.RetryRequestExecutor.executeRequest(RetryRequestExecutor.java:120)
       at com.okta.sdk.impl.ds.DefaultDataStore.execute(DefaultDataStore.java:442)
       at com.okta.sdk.impl.ds.DefaultDataStore.lambda$save$2(DefaultDataStore.java:316)
       at com.okta.sdk.impl.ds.DefaultDataStore.$r8$lambda$gKSDnks1-IbOCylz54X-TzaK5-s(DefaultDataStore.java)
       at com.okta.sdk.impl.ds.DefaultDataStore$$InternalSyntheticLambda$0$c4e7d458d0255d3533048628a92b18309bb945b5c716d564711e1a81e9edfaf4$0.filter(DefaultDataStore.java)
       at com.okta.sdk.impl.ds.DefaultFilterChain.filter(DefaultFilterChain.java:47)
       at com.okta.sdk.impl.ds.DefaultDataStore.save(DefaultDataStore.java:348)
       at com.okta.sdk.impl.ds.DefaultDataStore.create(DefaultDataStore.java:246)
       at com.okta.authn.sdk.impl.client.DefaultAuthenticationClient.doPost(DefaultAuthenticationClient.java:301)
       at com.okta.authn.sdk.impl.client.DefaultAuthenticationClient.authenticate(DefaultAuthenticationClient.java:83)
       at com.okta.authn.sdk.client.AuthenticationClient.authenticate(AuthenticationClient.java:108)
       at com.okta.authn.sdk.impl.client.DefaultAuthenticationClient.authenticate(DefaultAuthenticationClient.java:74)

Expected behavior

No crash

What went wrong?

Crash

Steps to reproduce

Occurs for users on Android 7 when logging in with username and password (authenticationClient.authenticate(email, password, ...))

SDK Version

Updated versions are:

implementation "com.okta.authn.sdk:okta-authn-sdk-api:2.0.2" runtimeOnly "com.okta.authn.sdk:okta-authn-sdk-impl:2.0.2" implementation "com.okta.android:okta-oidc-android:1.3.2" runtimeOnly "com.okta.sdk:okta-sdk-okhttp:8.2.1"

Previous versions were:

implementation "com.okta.authn.sdk:okta-authn-sdk-api:2.0.0" runtimeOnly "com.okta.authn.sdk:okta-authn-sdk-impl:2.0.0" implementation "com.okta.android:okta-oidc-android:1.2.2" runtimeOnly "com.okta.sdk:okta-sdk-okhttp:2.0.0"

:information_source: If you have a question, please post it on the Okta Developer Forum instead. Issues in this repository are reserved for bug reports and feature requests only.

I'm submitting a

• [ ] bug report
• [X] feature request

Background info

We use a gateway that monitors the traffic to the actual login APIs to block malicious actors. When that happens, the call returns as an HTTP 4xx error with no payload. But OKTA SDK expects to always have a payload with errorCode when a failure is encountered, so DefaultAuthenticationClient.translateException() will throw a NullPointerException

Expected behavior

The SDK should gracefully handle the no-payload scenario and ideally returns the HTTP code so the app can handle it appropriately (e.g. logs the user out if it's blocked by the gateway for security reasons, show an error message if it's HTTP 500, etc)

What went wrong?

See Background info

Steps to reproduce

1. Use Charles to intercept one of the API calls
2. Change HTTP status code to 4xx, and remove the payload
3. A NullPointerException is thrown by AuthenticationClient.authenticate()

SDK Version

2.0.2

We found an issue where we attempted to create OIDC access tokens for several users in our account, but when we use these access tokens to get the user's profile information it always returns the same user info for the first user we authenticate using the AuthenticationClient. We create a session token using the following command:

private String createSession(User user) {

  AuthenticationResponse loginResponse = AuthenticationClients.builder()
  .setOrgUrl(OKTA_ORG_URL)
  .build()
  .authenticate(user.getEmail(), user.getPassword(), null, null);

  if (AuthenticationStatus.SUCCESS.equals(loginResponse.getStatus())) {
                  return loginResponse.getSessionToken();
              }
}

We call this function for several of our Okta users, we then use these session tokens to generate access tokens using the /oauth2/v1/authorize endpoint, the access tokens are successfully generated, and we can call the /oauth2/v1/userinfo endpoint with each access token to get back user info, but every access token always returns the same user profile, and it is always returns whomever the first user was to have a session token generated for them (we confirmed this by testing several different permutations).

We fixed our issue by pivoting away from the AuthenticationClient and just calling the /api/v1/authn endpoint directly, and our access tokens now return the expected user profiles. Not sure if others have experienced this issue, but we didn't see any previous issue created for this. We tried referencing the Java Docs for the AuthenticationClientBuilder here: https://developer.okta.com/okta-auth-java/development/apidocs/index.html?com/okta/authn/sdk/client/AuthenticationClientBuilder.html which makes a reference to a caching section:

"Understanding caching is extremely important when creating a AuthenticationClient instance, so please ensure you read the Caching section below."

However, that section appears to be missing from the docs so we were unable to determine if there was a configuration issue we were missing on our end.

Both Shape and Okta have SDKs that are opaque to us.

Okta has a standard SDK where we ask for something at a high level, and the requests are carried out behind the scenes.

Shape has an SDK where it wants to be given the low-level request object prior to it being sent, and be handed the response for further processing after it has been received.

In order to integrate Okta with Shape, we need to grant Shape access to the requests and responses that Okta is generating.

Approach We ask for two new callbacks to be added to the Okta SDK.

Example from iOS issues - (Android example TBD):

protocol OktaHttpDelegate {
    
    /// Called after request creation, just before send.
    func willSend(request: NSMutableURLRequest)
    
    /// Called after response received, just after receipt.
    func didReceive(response: HTTPURLResponse)
    
}

Will be repeating this issue for the Android OIDC library and similar approach on the equivalent iOS SDKs