101 lines
3.4 KiB
Bash
Executable File
101 lines
3.4 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
. ${HOME}/.bashtools/bashtools.sh
|
|
if [[ -z $HAVE_BASHTOOLS ]]; then
|
|
echo "ERROR: bashtools not installed download from https://git.nethack.net/rob/bashtools" >/dev/stderr
|
|
exit 1
|
|
fi
|
|
|
|
inform "Sign in to Okta, click on add a new device, and paste the text from the"
|
|
inform "provided QR code. This should be a 'oktaverify://' URL."
|
|
echo
|
|
ask "Enter oktaverify URL:" "" verifyurl
|
|
echo
|
|
|
|
RE_VERIFY="^oktaverify:\/\/.*\?t=(.*)\&s=.*okta.com.*$"
|
|
if [[ ! $verifyurl =~ $RE_VERIFY ]]; then
|
|
error "Invalid URL."
|
|
exit 1
|
|
fi
|
|
|
|
|
|
inform "Enter name of new application to register with OKTA."
|
|
inform "This can be any meaningful string (eg. 'FreeOTP'), and"
|
|
inform "will be used in an Okta API to register a new 'device'"
|
|
inform "with its own shared secret."
|
|
echo
|
|
ask "Enter app name [^bmyapp^p]:" "myapp" appname
|
|
|
|
auth_string=$(echo "$verifyurl" | sed 's/.*t=\([^&]*\)&.*/\1/' )
|
|
authenticator_id=$(echo "$verifyurl" | sed 's/.*f=\([^&]*\)&.*/\1/' )
|
|
okta_host=$(echo "$verifyurl" | sed 's/.*issuer=\([^&]*\)&.*/\1/' )
|
|
okta_host_base=$(echo "$okta_host" | sed 's/\..*//')
|
|
inform "Application to add: [${appname}]"
|
|
echo
|
|
inform "Auth string is: [${auth_string}]"
|
|
inform "Authenticator ID is: [${authenticator_id}]"
|
|
inform "Okta host is: [${okta_host_base}]"
|
|
echo
|
|
ask "Does this look okay (^by^p/n)? " "y" yn
|
|
if [[ $yn != "y" ]]; then
|
|
echo "Aborted."
|
|
exit 1
|
|
fi
|
|
|
|
res=$(
|
|
curl --request POST \
|
|
--url "https://${okta_host_base}.okta.com/idp/authenticators" \
|
|
--header 'Accept: application/json; charset=UTF-8' \
|
|
--header 'Accept-Encoding: gzip, deflate' \
|
|
--header "Authorization: OTDT ${auth_string}" \
|
|
--header 'Content-Type: application/json; charset=UTF-8' \
|
|
--header 'User-Agent: D2DD7D3915.com.okta.android.auth/6.8.1 DeviceSDK/0.19.0 Android/7.1.1 unknown/Google' \
|
|
--data "{
|
|
\"authenticatorId\": \"${authenticator_id}\",
|
|
\"device\": {
|
|
\"clientInstanceBundleId\": \"com.okta.android.auth\",
|
|
\"clientInstanceDeviceSdkVersion\": \"DeviceSDK 0.19.0\",
|
|
\"clientInstanceVersion\": \"6.8.1\",
|
|
\"clientInstanceKey\": {
|
|
\"alg\": \"RS256\",
|
|
\"e\": \"AQAB\n\",
|
|
\"okta:isFipsCompliant\": false,
|
|
\"okta:kpr\": \"SOFTWARE\",
|
|
\"kty\": \"RSA\",
|
|
\"use\": \"sig\",
|
|
\"kid\": \"OpSRC6wLx4oPnqGBUuLz-WL7_knbK_UhClzjvt1cpOw\",
|
|
\"n\": \"u0Y1ygDJ61AghDiEqeGW7lCv4iW2gLOON0Aw-Tm53xQW7qB94MUNVjua8KuYyxS-1pxf58u0pCpVhQxSgZJGht5Z7Gmc0geVuxRza3B_TFLd90SFlEdE3te6IkH28MqDu2rQtonYowVedHXZpOii6QBLPjqP6Zm3zx9r7WokpSvY9fnp8zjixuAUuA0XYhv6EwedfvSiz3t84N-nV0R1cN5Ni8os6sG4K6F8ZSr7E4aXTzvOfJIWa9MC1Lx_J4M7HIUuUH7LV7PN_h5yYk8b-2fW4g3_3h13mQ-blx2qMXclr6uuBc13tLLks7LzY3S34y2K060gHMMWCM4MQ77Mrw\"
|
|
},
|
|
\"deviceAttestation\": {},
|
|
\"displayName\": \"${appname}\",
|
|
\"fullDiskEncryption\": false,
|
|
\"isHardwareProtectionEnabled\": false,
|
|
\"manufacturer\": \"unknown\",
|
|
\"model\": \"Google\",
|
|
\"osVersion\": \"25\",
|
|
\"platform\": \"ANDROID\",
|
|
\"rootPrivileges\": true,
|
|
\"screenLock\": false,
|
|
\"secureHardwarePresent\": false
|
|
},
|
|
\"key\": \"okta_verify\",
|
|
\"methods\": [
|
|
{
|
|
\"isFipsCompliant\": false,
|
|
\"supportUserVerification\": false,
|
|
\"type\": \"totp\"
|
|
}
|
|
]
|
|
}"
|
|
)
|
|
|
|
sec=$(echo "$res" | sed 's/^.*\("sharedSecret\)/\1/g;s/\}.*//;s/"//g;s/sharedSecret://g')
|
|
|
|
inform "You should now have a new device named '$appname' registered in okta."
|
|
echo
|
|
inform "In your TOTP application of choice, use the following shared secret:"
|
|
inform " ^b$sec^p"
|
|
echo
|
|
exit 0
|
|
|