Share Okta credentials cross accounts

helper/osxkeychain/osxkeychain.go

@@ -1,11 +1,8 @@
-// +build darwin,cgo
+// +build darwin
 
 package osxkeychain
 
 import (
-	"net/url"
-	"strings"
-
 	"github.com/keybase/go-keychain"
 	"github.com/sirupsen/logrus"
 	"github.com/versent/saml2aws/v2/helper/credentials"
@@ -24,14 +21,11 @@ func (h Osxkeychain) Add(creds *credentials.Credentials) error {
 	}
 
 	item := keychain.NewItem()
-	item.SetSecClass(keychain.SecClassInternetPassword)
+	item.SetSecClass(keychain.SecClassGenericPassword)
 	item.SetLabel(credentials.CredsLabel)
 	item.SetAccount(creds.Username)
 	item.SetData([]byte(creds.Secret))
-	err = splitServer3(creds.ServerURL, item)
-	if err != nil {
-		return err
-	}
+	item.SetService(creds.ServerURL)
 
 	err = keychain.AddItem(item)
 	if err != nil {
@@ -46,13 +40,9 @@ func (h Osxkeychain) Add(creds *credentials.Credentials) error {
 func (h Osxkeychain) Delete(serverURL string) error {
 
 	item := keychain.NewItem()
-	item.SetSecClass(keychain.SecClassInternetPassword)
-	err := splitServer3(serverURL, item)
-	if err != nil {
-		return err
-	}
-
-	err = keychain.DeleteItem(item)
+	item.SetSecClass(keychain.SecClassGenericPassword)
+	item.SetService(serverURL)
+	err := keychain.DeleteItem(item)
 	if err != nil {
 		return err
 	}
@@ -66,13 +56,8 @@ func (h Osxkeychain) Get(serverURL string) (string, string, error) {
 	logger.WithField("serverURL", serverURL).Debug("Get credentials")
 
 	query := keychain.NewItem()
-	query.SetSecClass(keychain.SecClassInternetPassword)
-
-	err := splitServer3(serverURL, query)
-	if err != nil {
-		return "", "", err
-	}
-
+	query.SetSecClass(keychain.SecClassGenericPassword)
+	query.SetService(serverURL)
 	query.SetMatchLimit(keychain.MatchLimitOne)
 	query.SetReturnAttributes(true)
 	query.SetReturnData(true)
@@ -95,21 +80,3 @@ func (h Osxkeychain) Get(serverURL string) (string, string, error) {
 func (Osxkeychain) SupportsCredentialStorage() bool {
 	return true
 }
-
-func splitServer3(serverURL string, item keychain.Item) (err error) {
-	u, err := url.Parse(serverURL)
-	if err != nil {
-		return
-	}
-
-	hostAndPort := strings.Split(u.Host, ":")
-	SetServer(item, hostAndPort[0])
-	if len(hostAndPort) == 2 {
-		SetPort(item, hostAndPort[1])
-	}
-
-	SetProtocol(item, u.Scheme)
-	SetPath(item, u.Path)
-
-	return
-}

helper/osxkeychain/osxkeychain_test.go

@@ -1,4 +1,4 @@
-// +build darwin,cgo
+// +build darwin
 
 // Copyright (c) 2016 David Calavera
 

pkg/provider/okta/okta.go

@@ -66,6 +66,7 @@ type Client struct {
 	targetURL       string
 	disableSessions bool
 	rememberDevice  bool
+	appID           string
 }
 
 // AuthRequest represents an mfa okta request
@@ -122,6 +123,7 @@ func New(idpAccount *cfg.IDPAccount) (*Client, error) {
 
 	disableSessions := idpAccount.DisableSessions
 	rememberDevice := !idpAccount.DisableRememberDevice
+	appID := idpAccount.AppID
 
 	if idpAccount.DisableSessions { // if user disabled sessions, also dont remember device
 		rememberDevice = false
@@ -130,13 +132,15 @@ func New(idpAccount *cfg.IDPAccount) (*Client, error) {
 	// Debug the disableSessions and rememberDevice values
 	logger.Debugf("okta | disableSessions: %v", disableSessions)
 	logger.Debugf("okta | rememberDevice: %v", rememberDevice)
+	logger.Debugf("okta | AppID: %v", appID)
 
 	return &Client{
 		client:          client,
 		mfa:             idpAccount.MFA,
 		targetURL:       idpAccount.TargetURL,
 		disableSessions: disableSessions,
 		rememberDevice:  rememberDevice,
+		appID:			 appID,
 	}, nil
 }
 
@@ -298,7 +302,7 @@ func (oc *Client) authWithSession(loginDetails *creds.LoginDetails) (string, err
 		return oc.Authenticate(modifiedLoginDetails)
 	}
 
-	req, err := http.NewRequest("GET", loginDetails.URL, nil)
+	req, err := http.NewRequest("GET", loginDetails.URL + oc.appID, nil)
 	if err != nil {
 		return "", errors.Wrap(err, "error building authWithSession request")
 	}
@@ -338,7 +342,7 @@ func (oc *Client) authWithSession(loginDetails *creds.LoginDetails) (string, err
 // This function is not currently used and but can be used in the future
 func (oc *Client) getDeviceTokenFromOkta(loginDetails *creds.LoginDetails) (string, error) {
 	//dummy request to set device token cookie ("dt")
-	req, err := http.NewRequest("GET", loginDetails.URL, nil)
+	req, err := http.NewRequest("GET", loginDetails.URL + oc.appID, nil)
 	if err != nil {
 		return "", errors.Wrap(err, "error building device token request")
 	}
@@ -555,7 +559,7 @@ func (oc *Client) follow(ctx context.Context, req *http.Request, loginDetails *c
 		logger.WithField("type", "saml-response").Debug("doc detect")
 		handler = oc.handleFormRedirect
 	} else {
-		req, err = http.NewRequest("GET", loginDetails.URL, nil)
+		req, err = http.NewRequest("GET", loginDetails.URL + oc.appID, nil)
 		if err != nil {
 			return "", errors.Wrap(err, "error building app request")
 		}