How can I log into an Okta enabled site using curl?

Asked 15/3, 2016 at 16:4 Answered 16/9, 2024 at 23:5

I'm trying to use curl to log into an Okta-enabled site providing the user name & password using the parameter -u {username:password} and all I get back is the html content of the Okta redirect page. How can I login into the app by providing my Okta credentials using curl?

Balata answered 15/3, 2016 at 16:4 Comment(0)

You can use the following script, assuming you have installed jq (https://stedolan.github.io/jq/download):

sessionToken=$(curl -X POST -H "Accept: application/json" -H "Content-Type:
application/json" -d '{
"username": "[okta_username]",
"password": "[password]",
"options": {
"multiOptionalFactorEnroll": true,
 "warnBeforePasswordExpired": true
}  
}' "https://[yourorg].oktapreview.com/api/v1/authn" | jq '.sessionToken' -r)

 curl -X GET "https://[yourorg].oktapreview.com/login/sessionCookieRedirect?token=${sessionToken}&redirectUrl=http://blah" -c "okta-cookie"

 curl -X GET [OKTA_EMBED_LINK] -b "okta-cookie" -L -v

From the last line, you will need to grab the SAMLResponse form parameter and submit it to the action url of the same form.

I hope this helps!

Anthropography answered 25/3, 2016 at 20:1 Comment(4)

Is there any other way that doesn't require you to request a url that has /api/v1/authn in it? If I query that one using a web browser I get E0000022: The endpoint does not support the provided HTTP method which suggests that my org doesn't support it. – Langland 2/1, 2019 at 15:3

@Giuseppe that's because in the browser you are doing a GET and the endpoint requires POST – Cleaver 24/4, 2019 at 19:28

How to grab and submit the SAMLResponse form parameter in the last line? Could you provide a little more detail? – Dillman 16/3, 2021 at 15:20

I found that my curl call would result in an error of "The request body was not well-formed. (E0000003). With some experimentation, I realised that was rejecting my request due to those extra padding spaces and carriage returns within the -d'...' argument. Once I removed them (e.g., -d'{"username":"name","password":"pwd",etc}'), my curl call was successful. – Reconstructionist 24/6, 2023 at 14:12

This:

#!/bin/bash
org=$ORG
destination="$1"
read -p "E-mail: " email
read -rsp "Password: " password
password=$(echo $password | sed -e 's/"/\\"/g')
sessionToken=$(curl -X POST -H "Accept: application/json" -H "Content-Type: application/json" -d '
{
    "username":"'"$email"'",
    "password":"'"$password"'",
    "options":{
        "multiOptionalFactorEnroll":true,
        "warnBeforePasswordExpired":true
    }
}' "https://${org}.okta.com/api/v1/authn" | jq '.sessionToken' -r)

successfully retrieves a sessionToken. Note that it uses ${org}.okta.com not ${org}.oktapreview.com which fails. This, however:

curl -X GET "https://${org}.okta.com/login/sessionCookieRedirect?token=${sessionToken}&redirectUrl=$destination" -c "okta-cookie"

Returns a 403 error, whereas a browser authenticates just fine.

Veiled answered 16/9, 2024 at 23:5 Comment(0)

Recommended topics

Hot tags