Issue with Duo Yubikey auth

[vivianho]

Output:

➜  ~ aws-okta exec developer --mfa-device u2f --debug -- echo "hello"
DEBU[0000] Parsing config file /Users/vho/.aws/config
DEBU[0000] Using aws_saml_url from profile: okta
DEBU[0000] using okta provider
DEBU[0000] Failed to reuse session token, starting flow from start
DEBU[0000] Step: 1
DEBU[0001] Step: 2
INFO[0001] Requesting MFA. Please complete two-factor authentication with your second device
DEBU[0001] 009PSPwKCb5AZJyoPhNcOYWoFKCe85gJOuXZf_UFqN
DEBU[0001] Okta Factor Provider: DUO
DEBU[0001] Okta Factor ID: <REDACTED>
DEBU[0001] Okta Factor Type: web
DEBU[0001] Host:api-<REDACTED>.duosecurity.com
Signature:TX|<REDACTED>
StateToken:<REDACTED>

DEBU[0001] challenge u2f
INFO[0001] Sending Push Notification...
DEBU[0002] Facet: https://api-<REDACTED>.duosecurity.com
Touch the flashing U2F device to authenticate...

INFO[0002] Authentication succeeded, continuing
INFO[0002] Device: u2f
INFO[0004] Err: Prompt request failed: 403
Failed Duo challenge. Err: Prompt request failed: 403

OS: macOS 10.13.6
Yubikey: YubiKey 5C Nano
aws-okta version: 0.19.5 (I installed via brew)

I disabled all other 2FA options on Okta and Duo just to isolate the problem (but fwiw Duo Push notifications work well)

[vivianho]

On the master branch I get the same:

➜  aws-okta git:(master) go run main.go --debug --mfa-duo-device u2f --mfa-factor-type web --mfa-provider DUO exec zimride-sudo-developer -- echo "success"
DEBU[0000] Parsing config file /Users/vho/.aws/config
DEBU[0000] Using aws_saml_url from profile: okta
DEBU[0000] using okta provider
DEBU[0000] Failed to reuse session token, starting flow from start
DEBU[0000] Step: 1
DEBU[0001] Step: 2
INFO[0001] Requesting MFA. Please complete two-factor authentication with your second device
DEBU[0001] 00nSXYp3XCpYYfj3BYjBA1zV8LxpUxzdo6595zJoBQ
DEBU[0001] MFAConfig: {DUO web u2f}

DEBU[0001] {<REDACTED> web DUO {{   {{}}}}}

DEBU[0001] Using matching factor "DUO web" from config

DEBU[0001] Okta Factor Provider: DUO
DEBU[0001] Okta Factor ID: <REDACTED>
DEBU[0001] Okta Factor Type: web
DEBU[0002] Host:<REDACTED>.duosecurity.com
Signature:TX|<REDACTED>
StateToken:<REDACTED>

DEBU[0002] challenge u2f
INFO[0002] Sending Push Notification...
DEBU[0002] Facet: https://api-c162f2e2.duosecurity.com
Touch the flashing U2F device to authenticate...

INFO[0004] Authentication succeeded, continuing
INFO[0004] Device: u2f
INFO[0007] Err: Prompt request failed: 403
Failed Duo challenge. Err: Prompt request failed: 403
exit status 1

[nickatsegment]

This is a big ask (at least until #129), but I think we might need to do some HTTP-level debugging.

[smiller171]

Getting the same issue myself

[nickatsegment]

We don't really use u2f at Segment, so this is going to be hard to repro.

I did some experiments to show how you can get raw HTTP traffic: https://github.com/segmentio/aws-okta/wiki/HTTP-debugging Maybe that could shed some more light.

[smiller171]

unfortunately I'm on a MacOS client so capturing that traffic wouldn't be terribly easy (though maybe it's reproducible in a container) Is it possible for you to use a software U2F key to try to reproduce? https://github.com/github/SoftU2F

[nickatsegment]

I actually have a u2f key; it's more that the Okta set up would be tough. I might be able to get to it next week.

The TLS key log method can work with a native client. It requires patching the HTTP clients and building a special bin though.

[smiller171]

I'm not sure if it helps or hurts but I'm doing U2F through duo. Also it fails harder when the debug flag isn't set. Debug mode actually makes it get farther, which is unexpected. Can get logs to show the difference tomorrow.

[austinylin]

@vivianho / @smiller171 I ran into this same issue and I think I found the problem. Can you take a look at #135 and see if that fixes it for you?

[smiller171]

@austinylin I'm trying to build it now. I usually build Go stuff in Docker but since I need a native Mac binary (can't pass USB devices into containers with Docker for Mac) It's taking me a bit.

I'm attempting to cross-compile from within Docker, but if that fails I'll have to actually set up a Go environment on my system

[vivianho]

@austinylin thank you so much for this change, it worked for me!!

➜  aws-okta git:(master) ✗ go run main.go --debug --mfa-duo-device u2f --mfa-factor-type web --mfa-provider DUO exec developer -- echo "success"
DEBU[0000] Parsing config file /Users/vho/.aws/config
DEBU[0000] Using aws_saml_url from profile: okta
DEBU[0000] using okta provider
DEBU[0000] Failed to reuse session token, starting flow from start
DEBU[0000] Step: 1
DEBU[0001] Step: 2
INFO[0001] Requesting MFA. Please complete two-factor authentication with your second device
DEBU[0001] <REDACTED>
DEBU[0001] MFAConfig: {DUO web u2f}

DEBU[0001] {<REDACTED> web DUO {{   {{}}}}}

DEBU[0001] Using matching factor "DUO web" from config

DEBU[0001] Okta Factor Provider: DUO
DEBU[0001] Okta Factor ID: <REDACTED>
DEBU[0001] Okta Factor Type: web
DEBU[0001] Host:<REDACTED>.duosecurity.com
Signature:TX|<REDACTED>

DEBU[0001] challenge u2f
INFO[0001] Sending Push Notification...
DEBU[0002] Facet: https://<REDACTED>.duosecurity.com
Touch the flashing U2F device to authenticate...

INFO[0003] Authentication succeeded, continuing
INFO[0003] Device: u2f
DEBU[0008] Step: 3
DEBU[0010] Writing session for developer to keyring
DEBU[0010]  Using session I75I, expires in 59m59.534742s
success

[smiller171]

Working for me as well, but I'm not sure why the -m flag no longer works (--mfa-duo-device is much more annoying)