typo

2023-06-26 10:51:25 +10:00 · 2023-06-26 10:51:25 +10:00 · 3e1a583317
parent 91f87d3925
commit 3e1a583317
2 changed files with 101 additions and 2 deletions
--- a/README.md
+++ b/README.md
@ -1,8 +1,7 @@

 # Overview

-Quick bash script to register a new TOTP client with Okta, based on the
-QR code which Okta provide.
+Quick bash script to register a new TOTP client with Okta, based on the QR code provided by Okta.

 # Screenshots

--- a/okta_totp.sh
+++ b/okta_totp.sh
@ -0,0 +1,100 @@
+#!/bin/bash
+
+. ${HOME}/.bashtools/bashtools.sh
+if [[ -z $HAVE_BASHTOOLS ]]; then
+    echo "ERROR: bashtools not installed download from https://git.nethack.net/rob/bashtools" >/dev/stderr
+    exit 1
+fi
+
+inform "Sign in to Okta, click on add a new device, and paste the text from the"
+inform "provided QR code.  This should be a 'oktaverify://' URL."
+echo
+ask "Enter oktaverify URL:" "" verifyurl
+echo
+
+RE_VERIFY="^oktaverify:\/\/.*\?t=(.*)\&s=.*okta.com.*$"
+if [[ ! $verifyurl =~ $RE_VERIFY ]]; then
+    error "Invalid URL."
+    exit 1
+fi
+
+
+inform "Enter name of new application to register with OKTA."
+inform "This can be any meaningful string (eg. 'FreeOTP'), and"
+inform "will be used in an Okta API to register a new 'device'"
+inform "with its own shared secret."
+echo
+ask "Enter app name [^bmyapp^p]:" "myapp" appname
+
+auth_string=$(echo "$verifyurl" | sed 's/.*t=\([^&]*\)&.*/\1/'  )
+authenticator_id=$(echo "$verifyurl" | sed 's/.*f=\([^&]*\)&.*/\1/'  )
+okta_host=$(echo "$verifyurl" | sed 's/.*issuer=\([^&]*\)&.*/\1/'  )
+okta_host_base=$(echo "$okta_host" | sed 's/\..*//')
+inform "Application to add:    [${appname}]"
+echo
+inform "Auth string is:        [${auth_string}]"
+inform "Authenticator ID is:   [${authenticator_id}]"
+inform "Okta host is:          [${okta_host_base}]"
+echo
+ask "Does this look okay (^by^p/n)? " "y" yn
+if [[ $yn != "y" ]]; then
+    echo "Aborted."
+    exit 1
+fi
+
+res=$(
+curl --request POST \
+  --url "https://${okta_host_base}.okta.com/idp/authenticators" \
+  --header 'Accept: application/json; charset=UTF-8' \
+  --header 'Accept-Encoding: gzip, deflate' \
+  --header "Authorization: OTDT ${auth_string}" \
+  --header 'Content-Type: application/json; charset=UTF-8' \
+  --header 'User-Agent: D2DD7D3915.com.okta.android.auth/6.8.1 DeviceSDK/0.19.0 Android/7.1.1 unknown/Google' \
+  --data "{
+	\"authenticatorId\": \"${authenticator_id}\",
+	\"device\": {
+		\"clientInstanceBundleId\": \"com.okta.android.auth\",
+		\"clientInstanceDeviceSdkVersion\": \"DeviceSDK 0.19.0\",
+		\"clientInstanceVersion\": \"6.8.1\",
+		\"clientInstanceKey\": {
+			\"alg\": \"RS256\",
+			\"e\": \"AQAB\n\",
+			\"okta:isFipsCompliant\": false,
+			\"okta:kpr\": \"SOFTWARE\",
+			\"kty\": \"RSA\",
+			\"use\": \"sig\",
+			\"kid\": \"OpSRC6wLx4oPnqGBUuLz-WL7_knbK_UhClzjvt1cpOw\",
+			\"n\": \"u0Y1ygDJ61AghDiEqeGW7lCv4iW2gLOON0Aw-Tm53xQW7qB94MUNVjua8KuYyxS-1pxf58u0pCpVhQxSgZJGht5Z7Gmc0geVuxRza3B_TFLd90SFlEdE3te6IkH28MqDu2rQtonYowVedHXZpOii6QBLPjqP6Zm3zx9r7WokpSvY9fnp8zjixuAUuA0XYhv6EwedfvSiz3t84N-nV0R1cN5Ni8os6sG4K6F8ZSr7E4aXTzvOfJIWa9MC1Lx_J4M7HIUuUH7LV7PN_h5yYk8b-2fW4g3_3h13mQ-blx2qMXclr6uuBc13tLLks7LzY3S34y2K060gHMMWCM4MQ77Mrw\"
+		},
+		\"deviceAttestation\": {},
+		\"displayName\": \"${appname}\",
+		\"fullDiskEncryption\": false,
+		\"isHardwareProtectionEnabled\": false,
+		\"manufacturer\": \"unknown\",
+		\"model\": \"Google\",
+		\"osVersion\": \"25\",
+		\"platform\": \"ANDROID\",
+		\"rootPrivileges\": true,
+		\"screenLock\": false,
+		\"secureHardwarePresent\": false
+	},
+	\"key\": \"okta_verify\",
+	\"methods\": [
+		{
+			\"isFipsCompliant\": false,
+			\"supportUserVerification\": false,
+			\"type\": \"totp\"
+		}
+	]
+}"
+)
+
+sec=$(echo "$res" | sed 's/^.*\("sharedSecret\)/\1/g;s/\}.*//;s/"//g;s/sharedSecret://g')
+
+inform "You should now have a new device named '$appname' registered in okta."
+echo
+inform "In your TOTP application of choice, use the following shared secret:"
+inform "        ^b$sec^p"
+echo
+exit 0
+