Skip to content

Instantly share code, notes, and snippets.

@Tatsh

Tatsh/oktaverify2totp.md

Forked from kamilhism/oktaverify2totp.md
Created July 9, 2024 09:34
Show Gist options
  • Save Tatsh/f6e665ccf2a1bde697ba4519b783e772 to your computer and use it in GitHub Desktop.
Save Tatsh/f6e665ccf2a1bde697ba4519b783e772 to your computer and use it in GitHub Desktop.
Download ZIP
Get TOTP secret key for Okta Verify
Raw
oktaverify2totp.md
  1. Get the content of the QR for Okta Verify app setup. It looks like this: oktaverify://[email protected]/?t=XXXXX&f=YYYYY&s=https://DOMAIN.okta.com&issuer=DOMAIN.okta.com&isIdxEnabled=true
  2. Replace XXXXX, YYYYY and DOMAIN to your values in curl below:
curl --request POST \
  --url https://DOMAIN.okta.com/idp/authenticators \
  --header 'Accept: application/json; charset=UTF-8' \
  --header 'Accept-Encoding: gzip, deflate' \
  --header 'Authorization: OTDT XXXXX' \
  --header 'Content-Type: application/json; charset=UTF-8' \
  --header 'User-Agent: D2DD7D3915.com.okta.android.auth/6.8.1 DeviceSDK/0.19.0 Android/7.1.1 unknown/Google' \
  --data '{
	"authenticatorId": "YYYYY",
	"device": {
		"clientInstanceBundleId": "com.okta.android.auth",
		"clientInstanceDeviceSdkVersion": "DeviceSDK 0.19.0",
		"clientInstanceVersion": "6.8.1",
		"clientInstanceKey": {
			"alg": "RS256",
			"e": "AQAB\n",
			"okta:isFipsCompliant": false,
			"okta:kpr": "SOFTWARE",
			"kty": "RSA",
			"use": "sig",
			"kid": "OpSRC6wLx4oPnqGBUuLz-WL7_knbK_UhClzjvt1cpOw",
			"n": "u0Y1ygDJ61AghDiEqeGW7lCv4iW2gLOON0Aw-Tm53xQW7qB94MUNVjua8KuYyxS-1pxf58u0pCpVhQxSgZJGht5Z7Gmc0geVuxRza3B_TFLd90SFlEdE3te6IkH28MqDu2rQtonYowVedHXZpOii6QBLPjqP6Zm3zx9r7WokpSvY9fnp8zjixuAUuA0XYhv6EwedfvSiz3t84N-nV0R1cN5Ni8os6sG4K6F8ZSr7E4aXTzvOfJIWa9MC1Lx_J4M7HIUuUH7LV7PN_h5yYk8b-2fW4g3_3h13mQ-blx2qMXclr6uuBc13tLLks7LzY3S34y2K060gHMMWCM4MQ77Mrw"
		},
		"deviceAttestation": {},
		"displayName": "1Password",
		"fullDiskEncryption": false,
		"isHardwareProtectionEnabled": false,
		"manufacturer": "unknown",
		"model": "Google",
		"osVersion": "25",
		"platform": "ANDROID",
		"rootPrivileges": true,
		"screenLock": false,
		"secureHardwarePresent": false
	},
	"key": "okta_verify",
	"methods": [
		{
			"isFipsCompliant": false,
			"supportUserVerification": false,
			"type": "totp"
		}
	]
}'
  1. Send this request and get sharedSecret value from the response. This is your TOTP secret key. Paste it to the corresponding app (e.g. 1Password) and enjoy!

Notes:

  • This request creates a new device named "1Password" in https://DOMAIN.okta.com/enduser/settings in "Security Methods" block
  • If it returns invalid session error, probably your QR's content is expired
  • If it returns 400 and complains to clientInstanceKey, try to replace kid and n to values from https://DOMAIN.okta.com/oauth2/v1/keys
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment