okta_totp/okta_totp.sh

#!/bin/bash

. ${HOME}/.bashtools/bashtools.sh
if [[ -z $HAVE_BASHTOOLS ]]; then
    echo "ERROR: bashtools not installed download from https://git.nethack.net/rob/bashtools" >/dev/stderr
    exit 1
fi

inform "Sign in to Okta, click on add a new device, and paste the text from the"
inform "provided QR code.  This should be a 'oktaverify://' URL."
echo
ask "Enter oktaverify URL:" "" verifyurl
echo

RE_VERIFY="^oktaverify:\/\/.*\?t=(.*)\&s=.*okta.com.*$"
if [[ ! $verifyurl =~ $RE_VERIFY ]]; then
    error "Invalid URL."
    exit 1
fi


inform "Enter name of new application to register with OKTA."
inform "This can be any meaningful string (eg. 'FreeOTP'), and"
inform "will be used in an Okta API to register a new 'device'"
inform "with its own shared secret."
echo
ask "Enter app name [^bmyapp^p]:" "myapp" appname

auth_string=$(echo "$verifyurl" | sed 's/.*t=\([^&]*\)&.*/\1/'  )
authenticator_id=$(echo "$verifyurl" | sed 's/.*f=\([^&]*\)&.*/\1/'  )
okta_host=$(echo "$verifyurl" | sed 's/.*issuer=\([^&]*\)&.*/\1/'  )
okta_host_base=$(echo "$okta_host" | sed 's/\..*//')
inform "Application to add:    [${appname}]"
echo
inform "Auth string is:        [${auth_string}]"
inform "Authenticator ID is:   [${authenticator_id}]"
inform "Okta host is:          [${okta_host_base}]"
echo
ask "Does this look okay (^by^p/n)? " "y" yn
if [[ $yn != "y" ]]; then
    echo "Aborted."
    exit 1
fi

res=$(
curl --request POST \
  --url "https://${okta_host_base}.okta.com/idp/authenticators" \
  --header 'Accept: application/json; charset=UTF-8' \
  --header 'Accept-Encoding: gzip, deflate' \
  --header "Authorization: OTDT ${auth_string}" \
  --header 'Content-Type: application/json; charset=UTF-8' \
  --header 'User-Agent: D2DD7D3915.com.okta.android.auth/6.8.1 DeviceSDK/0.19.0 Android/7.1.1 unknown/Google' \
  --data "{
	\"authenticatorId\": \"${authenticator_id}\",
	\"device\": {
		\"clientInstanceBundleId\": \"com.okta.android.auth\",
		\"clientInstanceDeviceSdkVersion\": \"DeviceSDK 0.19.0\",
		\"clientInstanceVersion\": \"6.8.1\",
		\"clientInstanceKey\": {
			\"alg\": \"RS256\",
			\"e\": \"AQAB\n\",
			\"okta:isFipsCompliant\": false,
			\"okta:kpr\": \"SOFTWARE\",
			\"kty\": \"RSA\",
			\"use\": \"sig\",
			\"kid\": \"OpSRC6wLx4oPnqGBUuLz-WL7_knbK_UhClzjvt1cpOw\",
			\"n\": \"u0Y1ygDJ61AghDiEqeGW7lCv4iW2gLOON0Aw-Tm53xQW7qB94MUNVjua8KuYyxS-1pxf58u0pCpVhQxSgZJGht5Z7Gmc0geVuxRza3B_TFLd90SFlEdE3te6IkH28MqDu2rQtonYowVedHXZpOii6QBLPjqP6Zm3zx9r7WokpSvY9fnp8zjixuAUuA0XYhv6EwedfvSiz3t84N-nV0R1cN5Ni8os6sG4K6F8ZSr7E4aXTzvOfJIWa9MC1Lx_J4M7HIUuUH7LV7PN_h5yYk8b-2fW4g3_3h13mQ-blx2qMXclr6uuBc13tLLks7LzY3S34y2K060gHMMWCM4MQ77Mrw\"
		},
		\"deviceAttestation\": {},
		\"displayName\": \"${appname}\",
		\"fullDiskEncryption\": false,
		\"isHardwareProtectionEnabled\": false,
		\"manufacturer\": \"unknown\",
		\"model\": \"Google\",
		\"osVersion\": \"25\",
		\"platform\": \"ANDROID\",
		\"rootPrivileges\": true,
		\"screenLock\": false,
		\"secureHardwarePresent\": false
	},
	\"key\": \"okta_verify\",
	\"methods\": [
		{
			\"isFipsCompliant\": false,
			\"supportUserVerification\": false,
			\"type\": \"totp\"
		}
	]
}"
)

sec=$(echo "$res" | sed 's/^.*\("sharedSecret\)/\1/g;s/\}.*//;s/"//g;s/sharedSecret://g')

inform "You should now have a new device named '$appname' registered in okta."
echo
inform "In your TOTP application of choice, use the following shared secret:"
inform "        ^b$sec^p"
echo
exit 0
typo 2023-06-26 10:51:25 +10:00			`#!/bin/bash`

			`. ${HOME}/.bashtools/bashtools.sh`
			`if [[ -z $HAVE_BASHTOOLS ]]; then`
			`echo "ERROR: bashtools not installed download from https://git.nethack.net/rob/bashtools" >/dev/stderr`
			`exit 1`
			`fi`

			`inform "Sign in to Okta, click on add a new device, and paste the text from the"`
			`inform "provided QR code. This should be a 'oktaverify://' URL."`
			`echo`
			`ask "Enter oktaverify URL:" "" verifyurl`
			`echo`

			`RE_VERIFY="^oktaverify:\/\/.\?t=(.)\&s=.okta.com.$"`
			`if [[ ! $verifyurl =~ $RE_VERIFY ]]; then`
			`error "Invalid URL."`
			`exit 1`
			`fi`


			`inform "Enter name of new application to register with OKTA."`
			`inform "This can be any meaningful string (eg. 'FreeOTP'), and"`
			`inform "will be used in an Okta API to register a new 'device'"`
			`inform "with its own shared secret."`
			`echo`
			`ask "Enter app name [^bmyapp^p]:" "myapp" appname`

			`auth_string=$(echo "$verifyurl" \| sed 's/.t=\([^&]\)&.*/\1/' )`
			`authenticator_id=$(echo "$verifyurl" \| sed 's/.f=\([^&]\)&.*/\1/' )`
			`okta_host=$(echo "$verifyurl" \| sed 's/.issuer=\([^&]\)&.*/\1/' )`
			`okta_host_base=$(echo "$okta_host" \| sed 's/\..*//')`
			`inform "Application to add: [${appname}]"`
			`echo`
			`inform "Auth string is: [${auth_string}]"`
			`inform "Authenticator ID is: [${authenticator_id}]"`
			`inform "Okta host is: [${okta_host_base}]"`
			`echo`
			`ask "Does this look okay (^by^p/n)? " "y" yn`
			`if [[ $yn != "y" ]]; then`
			`echo "Aborted."`
			`exit 1`
			`fi`

			`res=$(`
			`curl --request POST \`
			`--url "https://${okta_host_base}.okta.com/idp/authenticators" \`
			`--header 'Accept: application/json; charset=UTF-8' \`
			`--header 'Accept-Encoding: gzip, deflate' \`
			`--header "Authorization: OTDT ${auth_string}" \`
			`--header 'Content-Type: application/json; charset=UTF-8' \`
			`--header 'User-Agent: D2DD7D3915.com.okta.android.auth/6.8.1 DeviceSDK/0.19.0 Android/7.1.1 unknown/Google' \`
			`--data "{`
			`\"authenticatorId\": \"${authenticator_id}\",`
			`\"device\": {`
			`\"clientInstanceBundleId\": \"com.okta.android.auth\",`
			`\"clientInstanceDeviceSdkVersion\": \"DeviceSDK 0.19.0\",`
			`\"clientInstanceVersion\": \"6.8.1\",`
			`\"clientInstanceKey\": {`
			`\"alg\": \"RS256\",`
			`\"e\": \"AQAB\n\",`
			`\"okta:isFipsCompliant\": false,`
			`\"okta:kpr\": \"SOFTWARE\",`
			`\"kty\": \"RSA\",`
			`\"use\": \"sig\",`
			`\"kid\": \"OpSRC6wLx4oPnqGBUuLz-WL7_knbK_UhClzjvt1cpOw\",`
			`\"n\": \"u0Y1ygDJ61AghDiEqeGW7lCv4iW2gLOON0Aw-Tm53xQW7qB94MUNVjua8KuYyxS-1pxf58u0pCpVhQxSgZJGht5Z7Gmc0geVuxRza3B_TFLd90SFlEdE3te6IkH28MqDu2rQtonYowVedHXZpOii6QBLPjqP6Zm3zx9r7WokpSvY9fnp8zjixuAUuA0XYhv6EwedfvSiz3t84N-nV0R1cN5Ni8os6sG4K6F8ZSr7E4aXTzvOfJIWa9MC1Lx_J4M7HIUuUH7LV7PN_h5yYk8b-2fW4g3_3h13mQ-blx2qMXclr6uuBc13tLLks7LzY3S34y2K060gHMMWCM4MQ77Mrw\"`
			`},`
			`\"deviceAttestation\": {},`
			`\"displayName\": \"${appname}\",`
			`\"fullDiskEncryption\": false,`
			`\"isHardwareProtectionEnabled\": false,`
			`\"manufacturer\": \"unknown\",`
			`\"model\": \"Google\",`
			`\"osVersion\": \"25\",`
			`\"platform\": \"ANDROID\",`
			`\"rootPrivileges\": true,`
			`\"screenLock\": false,`
			`\"secureHardwarePresent\": false`
			`},`
			`\"key\": \"okta_verify\",`
			`\"methods\": [`
			`{`
			`\"isFipsCompliant\": false,`
			`\"supportUserVerification\": false,`
			`\"type\": \"totp\"`
			`}`
			`]`
			`}"`
			`)`

			`sec=$(echo "$res" \| sed 's/^.\("sharedSecret\)/\1/g;s/\}.//;s/"//g;s/sharedSecret://g')`

			`inform "You should now have a new device named '$appname' registered in okta."`
			`echo`
			`inform "In your TOTP application of choice, use the following shared secret:"`
			`inform " ^b$sec^p"`
			`echo`
			`exit 0`