How can I log into an Okta enabled site using curl?

Question

I'm trying to use curl to log into an Okta-enabled site providing the user name & password using the parameter -u {username:password} and all I get back is the html content of the Okta redirect page. How can I login into the app by providing my Okta credentials using curl?

Answer 1

This:

#!/bin/bash
org=$ORG
destination="$1"
read -p "E-mail: " email
read -rsp "Password: " password
password=$(echo $password | sed -e 's/"/\\"/g')
sessionToken=$(curl -X POST -H "Accept: application/json" -H "Content-Type: application/json" -d '
{
    "username":"'"$email"'",
    "password":"'"$password"'",
    "options":{
        "multiOptionalFactorEnroll":true,
        "warnBeforePasswordExpired":true
    }
}' "https://${org}.okta.com/api/v1/authn" | jq '.sessionToken' -r)

successfully retrieves a sessionToken. Note that it uses ${org}.okta.com not ${org}.oktapreview.com which fails. This, however:

curl -X GET "https://${org}.okta.com/login/sessionCookieRedirect?token=${sessionToken}&redirectUrl=$destination" -c "okta-cookie"

Returns a 403 error, whereas a browser authenticates just fine.

Answer 2

You can use the following script, assuming you have installed jq (https://stedolan.github.io/jq/download):

sessionToken=$(curl -X POST -H "Accept: application/json" -H "Content-Type:
application/json" -d '{
"username": "[okta_username]",
"password": "[password]",
"options": {
"multiOptionalFactorEnroll": true,
 "warnBeforePasswordExpired": true
}  
}' "https://[yourorg].oktapreview.com/api/v1/authn" | jq '.sessionToken' -r)

 curl -X GET "https://[yourorg].oktapreview.com/login/sessionCookieRedirect?token=${sessionToken}&redirectUrl=http://blah" -c "okta-cookie"

 curl -X GET [OKTA_EMBED_LINK] -b "okta-cookie" -L -v

From the last line, you will need to grab the SAMLResponse form parameter and submit it to the action url of the same form.

I hope this helps!