Crowbar throws an error

[joshsirota]

I had crowbar working from my Mac for several AWS accounts, but then it stopped working one day with the following error and I cannot figure out the issue. Can someone help? From looking at the code I think there's something it doesn't like about the response from Okta, but I don't know specifically what and even with -ltrace it doesn't show me enough to know what's wrong. I will say that if my credentials are wrong, I get an authentication error as expected, but with correct credentials, I can see that Okta gives a 200 response but then parsing it fails.

Unable to login
Caused by: 
 2: error decoding response body: invalid type: null, expected a string at line 1 column 1403
 1: invalid type: null, expected a string at line 1 column 1403

[moritzheiber]

Hey Josh, thank you for bringing this up. That looks like a Okta login error to me, likely because their login frontend has changed (there is no official API from Okta for logging into their service; crowbar, like many other services, are merely scraping the HTML content of the relevant forms and fetching the relevant authentication information from the responses to issue API calls in subsequent requests). I'll look into it, probably either this afternoon or some time tomorrow.

Would you be able to test relevant changes? I could also provide you with a binary if you tell me your OS/architecture 🙂

[moritzheiber]

@joshsirota One question before I start debugging: have you had to change your password recently? crowbar doesn't really have any robust handling for expiring credentials yet (also see #6 (comment)).

I just tried to reproduce the issue via Okta's developer platform and came up empty (i.e. it worked as expected)

[joshsirota]

Yes, I can test anything, feel free to reach out. I'm on MacOS/ARM.

[joshsirota]

Password is not the issue. I deleted my keychain items and it now prompts me for the new password, and I've confirmed that if I supply an incorrect password, I get a 403 and a proper error. This problem above only happens if it returns a 200 (correct password).

I'm wondering if it has something to do with 2FA, which my Okta account requires. I will add that other people in my organization are using this without issue though.

[joshsirota]

I will also add that I tried to build crowbar from source as a debugging step, but I'm not a Rust guy. I'm having a lot of errors like "error: cannot find derive macro Serialize in this scope" but the fixes that the internet recommends don't seem to help. Would be way better to have to developer himself help me figure this out instead of trying to understand the Rust ecosystem.

[joshsirota]

Solved -- by removing the extra 2FA methods on my Okta account. I previously had 3 methods enabled: Okta Verify, Security Key or Biometric Authentication, and YubiKey Authenticator. I disabled all but Okta Verify and crowbar works now.

[moritzheiber]

Ah! So this is interesting, because it's likely an extension of the API, which covers even more second factors than crowbar supports at the moment (or even supports at all), and it could be that your "preferred" factor fell into that gap (which is still a bug in crowbar, obviously).

I'll update my API tests and see how I can fix this going forward. I might still give you a binary to test once I've resolved the pending issues.

Thanks!