Skip to content

Instantly share code, notes, and snippets.

@kamilhism
Created September 10, 2022 16:18
Show Gist options
  • Save kamilhism/9f6f26ce3e10b6685af8c43f33aca808 to your computer and use it in GitHub Desktop.
Save kamilhism/9f6f26ce3e10b6685af8c43f33aca808 to your computer and use it in GitHub Desktop.
Get TOTP secret key for Okta Verify
  1. Get the content of the QR for Okta Verify app setup. It looks like this: oktaverify://email@domain.com/?t=XXXXX&f=YYYYY&s=https://DOMAIN.okta.com&issuer=DOMAIN.okta.com&isIdxEnabled=true
  2. Replace XXXXX, YYYYY and DOMAIN to your values in curl below:
curl --request POST \
  --url https://DOMAIN.okta.com/idp/authenticators \
  --header 'Accept: application/json; charset=UTF-8' \
  --header 'Accept-Encoding: gzip, deflate' \
  --header 'Authorization: OTDT XXXXX' \
  --header 'Content-Type: application/json; charset=UTF-8' \
  --header 'User-Agent: D2DD7D3915.com.okta.android.auth/6.8.1 DeviceSDK/0.19.0 Android/7.1.1 unknown/Google' \
  --data '{
	"authenticatorId": "YYYYY",
	"device": {
		"clientInstanceBundleId": "com.okta.android.auth",
		"clientInstanceDeviceSdkVersion": "DeviceSDK 0.19.0",
		"clientInstanceVersion": "6.8.1",
		"clientInstanceKey": {
			"alg": "RS256",
			"e": "AQAB\n",
			"okta:isFipsCompliant": false,
			"okta:kpr": "SOFTWARE",
			"kty": "RSA",
			"use": "sig",
			"kid": "OpSRC6wLx4oPnqGBUuLz-WL7_knbK_UhClzjvt1cpOw",
			"n": "u0Y1ygDJ61AghDiEqeGW7lCv4iW2gLOON0Aw-Tm53xQW7qB94MUNVjua8KuYyxS-1pxf58u0pCpVhQxSgZJGht5Z7Gmc0geVuxRza3B_TFLd90SFlEdE3te6IkH28MqDu2rQtonYowVedHXZpOii6QBLPjqP6Zm3zx9r7WokpSvY9fnp8zjixuAUuA0XYhv6EwedfvSiz3t84N-nV0R1cN5Ni8os6sG4K6F8ZSr7E4aXTzvOfJIWa9MC1Lx_J4M7HIUuUH7LV7PN_h5yYk8b-2fW4g3_3h13mQ-blx2qMXclr6uuBc13tLLks7LzY3S34y2K060gHMMWCM4MQ77Mrw"
		},
		"deviceAttestation": {},
		"displayName": "1Password",
		"fullDiskEncryption": false,
		"isHardwareProtectionEnabled": false,
		"manufacturer": "unknown",
		"model": "Google",
		"osVersion": "25",
		"platform": "ANDROID",
		"rootPrivileges": true,
		"screenLock": false,
		"secureHardwarePresent": false
	},
	"key": "okta_verify",
	"methods": [
		{
			"isFipsCompliant": false,
			"supportUserVerification": false,
			"type": "totp"
		}
	]
}'
  1. Send this request and get sharedSecret value from the response. This is your TOTP secret key. Paste it to the corresponding app (e.g. 1Password) and enjoy!

Notes:

  • This request creates a new device named "1Password" in https://DOMAIN.okta.com/enduser/settings in "Security Methods" block
  • If it returns invalid session error, probably your QR's content is expired
  • If it returns 400 and complains to clientInstanceKey, try to replace kid and n to values from https://DOMAIN.okta.com/oauth2/v1/keys
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment