diff --git a/README.md b/README.md index e1e7e8f..00bc043 100644 --- a/README.md +++ b/README.md @@ -1,8 +1,7 @@ # Overview -Quick bash script to register a new TOTP client with Okta, based on the -QR code which Okta provide. +Quick bash script to register a new TOTP client with Okta, based on the QR code provided by Okta. # Screenshots diff --git a/okta_totp.sh b/okta_totp.sh new file mode 100755 index 0000000..15c2609 --- /dev/null +++ b/okta_totp.sh @@ -0,0 +1,100 @@ +#!/bin/bash + +. ${HOME}/.bashtools/bashtools.sh +if [[ -z $HAVE_BASHTOOLS ]]; then + echo "ERROR: bashtools not installed download from https://git.nethack.net/rob/bashtools" >/dev/stderr + exit 1 +fi + +inform "Sign in to Okta, click on add a new device, and paste the text from the" +inform "provided QR code. This should be a 'oktaverify://' URL." +echo +ask "Enter oktaverify URL:" "" verifyurl +echo + +RE_VERIFY="^oktaverify:\/\/.*\?t=(.*)\&s=.*okta.com.*$" +if [[ ! $verifyurl =~ $RE_VERIFY ]]; then + error "Invalid URL." + exit 1 +fi + + +inform "Enter name of new application to register with OKTA." +inform "This can be any meaningful string (eg. 'FreeOTP'), and" +inform "will be used in an Okta API to register a new 'device'" +inform "with its own shared secret." +echo +ask "Enter app name [^bmyapp^p]:" "myapp" appname + +auth_string=$(echo "$verifyurl" | sed 's/.*t=\([^&]*\)&.*/\1/' ) +authenticator_id=$(echo "$verifyurl" | sed 's/.*f=\([^&]*\)&.*/\1/' ) +okta_host=$(echo "$verifyurl" | sed 's/.*issuer=\([^&]*\)&.*/\1/' ) +okta_host_base=$(echo "$okta_host" | sed 's/\..*//') +inform "Application to add: [${appname}]" +echo +inform "Auth string is: [${auth_string}]" +inform "Authenticator ID is: [${authenticator_id}]" +inform "Okta host is: [${okta_host_base}]" +echo +ask "Does this look okay (^by^p/n)? " "y" yn +if [[ $yn != "y" ]]; then + echo "Aborted." + exit 1 +fi + +res=$( +curl --request POST \ + --url "https://${okta_host_base}.okta.com/idp/authenticators" \ + --header 'Accept: application/json; charset=UTF-8' \ + --header 'Accept-Encoding: gzip, deflate' \ + --header "Authorization: OTDT ${auth_string}" \ + --header 'Content-Type: application/json; charset=UTF-8' \ + --header 'User-Agent: D2DD7D3915.com.okta.android.auth/6.8.1 DeviceSDK/0.19.0 Android/7.1.1 unknown/Google' \ + --data "{ + \"authenticatorId\": \"${authenticator_id}\", + \"device\": { + \"clientInstanceBundleId\": \"com.okta.android.auth\", + \"clientInstanceDeviceSdkVersion\": \"DeviceSDK 0.19.0\", + \"clientInstanceVersion\": \"6.8.1\", + \"clientInstanceKey\": { + \"alg\": \"RS256\", + \"e\": \"AQAB\n\", + \"okta:isFipsCompliant\": false, + \"okta:kpr\": \"SOFTWARE\", + \"kty\": \"RSA\", + \"use\": \"sig\", + \"kid\": \"OpSRC6wLx4oPnqGBUuLz-WL7_knbK_UhClzjvt1cpOw\", + \"n\": \"u0Y1ygDJ61AghDiEqeGW7lCv4iW2gLOON0Aw-Tm53xQW7qB94MUNVjua8KuYyxS-1pxf58u0pCpVhQxSgZJGht5Z7Gmc0geVuxRza3B_TFLd90SFlEdE3te6IkH28MqDu2rQtonYowVedHXZpOii6QBLPjqP6Zm3zx9r7WokpSvY9fnp8zjixuAUuA0XYhv6EwedfvSiz3t84N-nV0R1cN5Ni8os6sG4K6F8ZSr7E4aXTzvOfJIWa9MC1Lx_J4M7HIUuUH7LV7PN_h5yYk8b-2fW4g3_3h13mQ-blx2qMXclr6uuBc13tLLks7LzY3S34y2K060gHMMWCM4MQ77Mrw\" + }, + \"deviceAttestation\": {}, + \"displayName\": \"${appname}\", + \"fullDiskEncryption\": false, + \"isHardwareProtectionEnabled\": false, + \"manufacturer\": \"unknown\", + \"model\": \"Google\", + \"osVersion\": \"25\", + \"platform\": \"ANDROID\", + \"rootPrivileges\": true, + \"screenLock\": false, + \"secureHardwarePresent\": false + }, + \"key\": \"okta_verify\", + \"methods\": [ + { + \"isFipsCompliant\": false, + \"supportUserVerification\": false, + \"type\": \"totp\" + } + ] +}" +) + +sec=$(echo "$res" | sed 's/^.*\("sharedSecret\)/\1/g;s/\}.*//;s/"//g;s/sharedSecret://g') + +inform "You should now have a new device named '$appname' registered in okta." +echo +inform "In your TOTP application of choice, use the following shared secret:" +inform " ^b$sec^p" +echo +exit 0 +