Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

requests.exceptions.MissingSchema: Invalid URL '/login/cert': No schema supplied. #12

Open
mawxcarroll opened this issue Jan 15, 2019 · 14 comments
Open

requests.exceptions.MissingSchema: Invalid URL '/login/cert': No schema supplied. #12

mawxcarroll opened this issue Jan 15, 2019 · 14 comments

Comments

@mawxcarroll
Copy link

mawxcarroll commented Jan 15, 2019
edited
Loading

I'm just trying out your code for the first time and first of all -- thank you! It's awesome that people are working on this. My school just switched to Pan-GP with okta and I haven't been able to access the VPN from my Ubuntu system.

I'm hoping that I'm just doing something simple wrong. I used a QR reader to get my totp secret and I think I've set up the config file correctly:

debug = 0
vpn_url = https://vpn.ursinus.edu
okta_url = https://ursinus.okta.com
username = ########
password = ########
totp.okta = ###################
#totp.google = ABCDEFGHIJKLMNOP
#gateway = Manual ny1-gw.example.com
#openconnect_cmd = sudo openconnect
openconnect_args = # optional arguments to openconnect
execute = 0 # execute openconnect command
bug.nl = 0 # newline work-around for openconnect
bug.username = 0 # username work-around for openconnect

I get the following error when I run:

~/git-repos/arthespy-okta$ ./gp-okta.py gp-okta.conf
[INFO] prelogin request
[INFO] okta saml request
[INFO] okta auth request
[INFO] sessionToken: 201116eJg70sxUsqIiW_ZuqZlAKqJRPTccwWsiLnAFytuvuODEfRbvL
[INFO] okta redirect request
[INFO] okta redirect form request
Traceback (most recent call last):
File "./gp-okta.py", line 379, in
main()
File "./gp-okta.py", line 342, in main
saml_username, prelogin_cookie = okta_redirect(conf, s, token, redirect_url)
File "./gp-okta.py", line 286, in okta_redirect
r = s.post(url, data=data)
File "/home/tcarroll/.local/lib/python2.7/site-packages/requests/sessions.py", line 581, in post
return self.request('POST', url, data=data, json=json, **kwargs)
File "/home/tcarroll/.local/lib/python2.7/site-packages/requests/sessions.py", line 519, in request
prep = self.prepare_request(req)
File "/home/tcarroll/.local/lib/python2.7/site-packages/requests/sessions.py", line 462, in prepare_request
hooks=merge_hooks(request.hooks, self.hooks),
File "/home/tcarroll/.local/lib/python2.7/site-packages/requests/models.py", line 313, in prepare
self.prepare_url(url, params)
File "/home/tcarroll/.local/lib/python2.7/site-packages/requests/models.py", line 387, in prepare_url
raise MissingSchema(error)
requests.exceptions.MissingSchema: Invalid URL '/login/cert': No schema supplied. Perhaps you meant http:///login/cert?

Any advice would be helpful!

Thanks!

Cheers,
tom
@mawxcarroll
Copy link
Author

Okay, I think I've made some progress in understanding exactly where things go wrong.

When the script gets to the "okta redirect request," it finds the url https://xxxxx.okta.com/login/sessionCookieRedirect, which I gather is correct. After posting to that url, the script seems to be expecting something that will contain the saml-username and the prelogin-cookie. However, by pasting that url into a browser, I can see that it's just the page that either sends the push to the okta app on my phone or requests the sms code. (Apparently, I can also request my tech support to set up Yubikey for me -- I have no idea whether or not that might be easier.)

If I click on the send push button, it takes me to a "login successful" page. The source for that page clearly has the saml-username and the prelogin-cookie.

I'm a bit stuck here. It seems like I need to make the script provide some input to activate the button and send the push to my phone.

@arthepsy
Copy link
Owner

From output You provided:

[INFO] okta redirect request
[INFO] okta redirect form request

I can see that it fails here:

        url, data = parse_form(xhtml)
        log('okta redirect form request')
        r = s.post(url, data=data)

Meaning that it parsed HTML response from /login/sessionCookieRedirect and found form action as /login/cert, not the full URL. I can probably fix that by prefixing URL with current path, but I'm not sure I've seen /login/cert at all. Usually, the form contains url to /SAML20/SP/ACS or something.

I am not sure how to continue this, as I haven't seen such behavior, without some test account or full debug logs.

@mawxcarroll
Copy link
Author

Yes, this is what I'm seeing! There's an "intermediate" web page where it asks me to click a button to send the push to my phone. If I do that interactively, it makes it to a page like you describe, with something like /SAML20/SP/ACS.

I'm at work but as soon as I get home I will attach the full debug logs. Let me know what else I can do to help.

Thanks!

@dlenski
Copy link
Contributor

dlenski commented Jan 22, 2019

Meaning that it parsed HTML response from /login/sessionCookieRedirect and found form action as /login/cert, not the full URL. I can probably fix that by prefixing URL with current path, but I'm not sure I've seen /login/cert at all. Usually, the form contains url to /SAML20/SP/ACS or something.

@arthepsy, I think you already know this, but you should be using urllib.urljoin(url_of_current_page, url_fragment) to combine the current and new URLs in a way that exactly matches what browsers do.

@arthepsy
Copy link
Owner

@dlenski yes, I'm aware, but I don't think that this will help, as I'm not sure what /login/cert expects and responds...

@dlenski
Copy link
Contributor

dlenski commented Jan 22, 2019

Is it possible that /login/cert is simply a step where a client certificate is expected to be included in the request… and assuming the client cert is good it'll just redirect to a subsequent step?

(I've seen a couple non-GP VPNs that use a similar step, where only one request in the authentication process actually needs the client cert…)

@mawxcarroll
Copy link
Author

mawxcarroll commented Jan 23, 2019
edited
Loading

Ok, here's the command line output and the full debug output is:
debug.txt

Thanks!

$~/git-repos/arthespy-okta$ ./gp-okta.py gp-okta.conf > debug.txt
Traceback (most recent call last):
File "./gp-okta.py", line 388, in
main()
File "./gp-okta.py", line 352, in main
userauthcookie = paloalto_getconfig(conf, s, saml_username, prelogin_cookie)
File "./gp-okta.py", line 321, in paloalto_getconfig
r = s.post(url, data=data)
File "/home/tcarroll/.local/lib/python2.7/site-packages/requests/sessions.py", line 581, in post
return self.request('POST', url, data=data, json=json, **kwargs)
File "/home/tcarroll/.local/lib/python2.7/site-packages/requests/sessions.py", line 533, in request
resp = self.send(prep, **send_kwargs)
File "/home/tcarroll/.local/lib/python2.7/site-packages/requests/sessions.py", line 646, in send
r = adapter.send(request, **kwargs)
File "/home/tcarroll/.local/lib/python2.7/site-packages/requests/adapters.py", line 498, in send
raise ConnectionError(err, request=request)
requests.exceptions.ConnectionError: ('Connection aborted.', BadStatusLine('\n',))

@arthepsy
Copy link
Owner

@mawxcarroll this seems like a different issue, as error is Connection aborted. and exception is in different place, than before. Looks like VPN gateway just dropped connection (don't know the reason, though). Could You try again?

@arthepsy
Copy link
Owner

I'm wondering why it got further than /login/cert in Your debug log. Did You made some changes locally?

@mawxcarroll
Copy link
Author

Ah! Sorry, yes, I had hard-coded the correct saml-username and was trying to get it to move a bit further in the process. Here's the command line output from the unmodified code with the full debug output here:
debug.txt

$ ./gp-okta.py gp-okta.conf > debug.txt
Traceback (most recent call last):
File "./gp-okta.py", line 424, in
main()
File "./gp-okta.py", line 387, in main
saml_username, prelogin_cookie = okta_redirect(conf, s, token, redirect_url)
File "./gp-okta.py", line 331, in okta_redirect
r = s.post(url, data=data)
File "/home/tcarroll/.local/lib/python2.7/site-packages/requests/sessions.py", line 581, in post
return self.request('POST', url, data=data, json=json, **kwargs)
File "/home/tcarroll/.local/lib/python2.7/site-packages/requests/sessions.py", line 519, in request
prep = self.prepare_request(req)
File "/home/tcarroll/.local/lib/python2.7/site-packages/requests/sessions.py", line 462, in prepare_request
hooks=merge_hooks(request.hooks, self.hooks),
File "/home/tcarroll/.local/lib/python2.7/site-packages/requests/models.py", line 313, in prepare
self.prepare_url(url, params)
File "/home/tcarroll/.local/lib/python2.7/site-packages/requests/models.py", line 387, in prepare_url
raise MissingSchema(error)
requests.exceptions.MissingSchema: Invalid URL '/login/cert': No schema supplied. Perhaps you meant http:///login/cert?

@arthepsy
Copy link
Owner

@mawxcarroll I reviewed Your debug.txt, compared with mine. Commited a patch, that does redirection dance, until it gets prelogin-cookie. Please, test it now and give feedback.

@mawxcarroll
Copy link
Author

@arthepsy I tried the new version, and it definitely yields a different error:
debug.txt

$ ./gp-okta.py gp-okta.conf
[INFO] prelogin request
[INFO] okta saml request
[INFO] okta auth request
[INFO] sessionToken: 20111uqU4ajN3S6LHOyOSLMFbhF0u7avbepS7eyDjA5hDSTgI-HreNv
[INFO] okta redirect request
[INFO] okta redirect request
[INFO] okta redirect request
[INFO] okta redirect request
[INFO] okta redirect request
[INFO] okta redirect request
[INFO] okta redirect request
[INFO] okta redirect request
[INFO] okta redirect request
[INFO] okta redirect request
[INFO] okta redirect request
err: redirect rabbit hole is too deep...

@alessiostalla
Copy link

alessiostalla commented Feb 18, 2020
edited
Loading

I'm getting the same error as @mawxcarroll . This is the last request:

# redirect.response:
status: 200

Cache-Control: no-cache, no-store
Connection: Keep-Alive
Content-Encoding: gzip
Content-Language: en
Content-Type: text/html;charset=utf-8
Date: Tue, 18 Feb 2020 15:29:24 GMT
Expires: 0
Keep-Alive: timeout=5, max=79
P3P: CP="HONK"
Pragma: no-cache
Server: nginx
Set-Cookie: sid=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/, JSESSIONID=46C9BE97EF4D87F7E69C65CC7E54A11F; Path=/; Secure; HttpOnly, t=blue-dark; Path=/, sid=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Strict-Transport-Security: max-age=315360000
Transfer-Encoding: chunked
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Okta-Request-Id: XkwC1HTK-YYP--h8j@7ApAAAAyQ
X-Rate-Limit-Limit: 850
X-Rate-Limit-Remaining: 837
X-Rate-Limit-Reset: 1582039814
X-Robots-Tag: none
X-UA-Compatible: IE=edge
X-XSS-Protection: 1; mode=block; report=https://okta.report-uri.com/r/d/xss/enforce

<!DOCTYPE html>
<!--[if IE 7]><html class="lt-ie10 lt-ie9 lt-ie8"><![endif]-->
<!--[if IE 8]><html class="lt-ie10 lt-ie9"> <![endif]-->
<!--[if IE 9]><html class="lt-ie10"><![endif]-->
<!--[if gt IE 9]><html><![endif]-->
<!--[if !IE]><!--><html><!--<![endif]-->
<head>

    <script>if (typeof module === 'object') {window.module = module; module = undefined;}</script>

    <title>XXXX - Sign In</title>
        <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <meta name="robots" content="none" />

    <link href="https://ok7static.oktacdn.com/assets/loginpage/css/okta-login-page.min.60d9d4a67434874ffe6904fb101d663f.css" type="text/css" rel="stylesheet"/><script>
        var okta = {
            locale: 'en',
            deployEnv: 'PROD'
        };
    </script>
    <script>window.okta || (window.okta = {}); okta.cdnUrlHostname = "//ok7static.oktacdn.com"; okta.cdnPerformCheck = false;</script><script>if (window.module) module = window.module;</script>

</head>
<body class="auth okta-container">

<!--[if gte IE 8]>
  <![if lte IE 9]>

    <style>
    .unsupported-browser-banner-wrap {
      padding: 20px;
      border: 1px solid #ddd;
      background-color: #f3fbff;
    }
    .unsupported-browser-banner-inner {
      position: relative;
      width: 735px;
      margin: 0 auto;
      text-align: left;
    }
    .unsupported-browser-banner-inner .icon {
      vertical-align: top;
      margin-right: 20px;
      display: inline-block;
      position: static !important;
    }
    .unsupported-browser-banner-inner a {
      text-decoration: underline;
    }
    </style>

    <div class="unsupported-browser-banner-wrap">
      <div class="unsupported-browser-banner-inner">
        <span class="icon icon-16 icon-only warning-16-yellow"></span>You are using an unsupported browser. For the best experience, update to <a href="https://support.okta.com/help/articles/Knowledge_Article/24532952-Platforms---Browser-and-OS-Support">a supported browser</a>.</div>
    </div>

  <![endif]>
<![endif]-->
<!--[if IE 8]> <div id="login-bg-image-ie8" class="login-bg-image" data-se="login-bg-image"></div> <![endif]-->
<!--[if (gt IE 8)|!(IE)]><!--> <div id="login-bg-image" class="login-bg-image" data-se="login-bg-image"></div> <!--<![endif]-->

<!-- hidden form for reposting fromURI for X509 auth -->
<form action="/login/cert" method="post" id="x509_login" name="x509_login" style="display:none;">
    <input type="hidden" class="hide" name="_xsrfToken" value="null"/><input type="hidden" id="fromURI" name="fromURI" class="hidden" value="&#x2f;app&#x2f;panw_globalprotect&#x2f;exk1difehdljP9cUR357&#x2f;sso&#x2f;saml&#x3f;SAMLRequest&#x3d;REDACTED base64-encoded request with sensitive data"/>
</form>

<div class="content">
  <div class="applogin-banner">
          <div class="applogin-background"></div>
          <div class="applogin-container">
              <h1>
                Connecting to<div class="applogin-app-logo">
                      <img src="https://ok7static.oktacdn.com/fs/bcg/4/gfs2h3fnucQaar64A356" alt="GlobalProtect&#x20;VPN" class="logo panw_globalprotect"/></div>
              </h1>
              <p>Sign-in with your XXXX account to access GlobalProtect VPN</p>
          </div>
      </div>
  <style type="text/css">
    .noscript-msg {
        background-color: #fff;
        border-color: #ddd #ddd #d8d8d8;
        box-shadow:0 2px 0 rgba(175, 175, 175, 0.12);
        text-align: center;
        width: 398px;
        min-width: 300px;
        margin: 200px auto;
        border-radius: 3px;
        border-width: 1px;
        border-style: solid;
    }

    .noscript-content {
        padding: 42px;
    }

    .noscript-content h2 {
        padding-bottom: 20px;
    }

    .noscript-content h1 {
        padding-bottom: 25px;
    }

    .noscript-content a {
        background: transparent;
        box-shadow: none;
        display: table-cell;
        vertical-align: middle;
        width: 314px;
        height: 50px;
        line-height: 36px;
        color: #fff;
        background: linear-gradient(#007dc1, #0073b2), #007dc1;
        border: 1px solid;
        border-color: #004b75;
        border-bottom-color: #00456a;
        box-shadow: rgba(0, 0, 0, 0.15) 0 1px 0, rgba(255, 255, 255, 0.1) 0 1px 0 0 inset;
        -webkit-border-radius: 3px;
        border-radius: 3px;
    }

    .noscript-content a:hover {
        background: #007dc1;
        cursor: hand;
        text-decoration: none;
    }
</style>
<noscript>
    <div id="noscript-msg" class="noscript-msg">
        <div class="noscript-content">
            <h2>Javascript is required</h2>
            <h1>Javascript is disabled on your browser.&nbspPlease enable Javascript and refresh this page.</h1>
            <a href=".">Refresh</a>
        </div>
    </div>
</noscript>
<div id="signin-container"></div>
  <div id="okta-sign-in" class="auth-container main-container" style="display:none">
      <div id="unsupported-onedrive" class="unsupported-message" style="display:none">
        <h2 class="o-form-head">Your OneDrive version is not supported</h2>
        <p>Upgrade now by installing the OneDrive for Business Next Generation Sync Client to login to Okta</p>
        <a class="button button-primary" target="_blank" href="https://support.okta.com/help/articles/Knowledge_Article/Upgrading-to-OneDrive-for-Business-Next-Generation-Sync-Client">
          Learn how to upgrade</a>
      </div>
      <div id="unsupported-cookie" class="unsupported-message" style="display:none">
          <h2 class="o-form-head">Cookies are required</h2>
          <p>Cookies are disabled on your browser. Please enable Cookies and refresh this page.</p>
          <a class="button button-primary" target="_blank" href=".">
              Refresh</a>
      </div>
  </div>
</div>

<div class="footer">
  <div class="footer-container clearfix">
    <p class="copyright">Powered by <a href="http://www.okta.com/" class="inline-block notranslate">Okta</a></p>
        <p class="privacy-policy"><a href="/privacy" target="_blank" class="inline-block margin-l-10">Privacy Policy</a></p>
    </div>
</div>

<script type="text/javascript">function runLoginPage (fn) {var mainScript = document.createElement('script');mainScript.src = 'https://ok7static.oktacdn.com/assets/js/mvc/loginpage/initLoginPage.pack.dccc076846c26b0541cee609dba6db95.js';mainScript.crossOrigin = 'anonymous';mainScript.integrity = 'sha384-R3LzzrOmyic5+C41ouOec6dn8uBrIdNocmeWP8EX2vVxjBHToemHB0XSywlqpumH';document.getElementsByTagName('head')[0].appendChild(mainScript);fn && mainScript.addEventListener('load', function () { setTimeout(fn, 1) });}</script><script type="text/javascript">
(function(){

  var baseUrl = 'https\x3A\x2F\x2Fidentity.XXXX.com';
  var suppliedRedirectUri = '';
  var repost = false;
  var stateToken = '';
  var fromUri = '\x2Fapp\x2Fpanw_globalprotect\x2Fexk1difehdljP9cUR357\x2Fsso\x2Fsaml\x3FSAMLRequest\x3DREDACTED';
  var username = '';
  var rememberMe = false;
  var smsRecovery = false;
  var callRecovery = false;
  var emailRecovery = true;
  var usernameLabel = 'Username';
  var usernameInlineLabel = '';
  var passwordLabel = 'Password';
  var passwordInlineLabel = '';
  var signinLabel = 'Sign\x20In';
  var forgotpasswordLabel = 'Forgot\x20password\x3F';
  var unlockaccountLabel = 'Unlock\x20account\x3F';
  var helpLabel = 'Help';
  var orgSupportPhoneNumber = '';
  var hideSignOutForMFA = false;
  var hideBackToSignInForReset = false;
  var loginPageUrlRedirect = '';
  var enableUrlFixForEmbeddedBrowsers = false;
  var footerHelpTitle = 'Need\x20help\x20signing\x20in\x3F';
  var recoveryFlowPlaceholder = 'Email\x20or\x20Username';
  var signOutUrl = '';
  var authScheme = 'OAUTH2';
  var hasPasswordlessPolicy = '';

  var securityImage = true;
  

  var windowsVerify = false;
  
    windowsVerify = true;
  

  var selfServiceUnlock = false;
  

  var preventBrowserFromSavingOktaPassword = false;
  
      preventBrowserFromSavingOktaPassword = true;
    

  var redirectByFormSubmit = false;
  

  var restrictRedirectToForeground = false;
  

  var hideDefaultTip = true;
  

  var autoPush = false;
  
    autoPush = true;
  

  var publishToAccountChooser = false;
  var accountChooserDiscoveryUrl = null;
  
    publishToAccountChooser = true;
    accountChooserDiscoveryUrl = 'https://login.okta.com/discovery/iframe.html';
  

  // In case of custom app login, the uri is already absolute, so we must not attach baseUrl
  var redirectUri;
  if (isAbsoluteUri(fromUri)) {
      redirectUri = fromUri;
  } else {
      redirectUri = baseUrl + fromUri;
  }
  

  var customButtons;
  
      var pivTitle = 'PIV\x20Card';
      var pivClassName = '';
      // Use different title and color when IDP_BASED_SIGN_ON_POLICY is enabled
      
      customButtons = [{
        title: pivTitle,
        className: pivClassName,
        click: function() {
          if (repost) {
            document.x509_login.submit();
          } else {
            window.location.href='/login/cert?fromURI=' + encodeURIComponent(fromUri);
          }
        }
      }];
    

  var pivProperties = {};
  

  var customLinks = [];
  

  var linkParams;
  

  var stateTokenAllFlows;
  

  var idpDiscovery;
  var idpDiscoveryRequestContext;
  

  var showPasswordToggleOnSignInPage = false;
  

  var hasOAuth2ConsentFeature = false;
  var consentFunc;
  

  var hasMfaAttestationFeature = false;
  
    hasMfaAttestationFeature = true;
  

  var registration = false;
  

  var webauthn = true;
  

  var loginPageConfig = {
    fromUri: fromUri,
    repost: repost,
    redirectUri: redirectUri,
    isMobileClientLogin: false,
    isMobileSSO: false,

    linkParams: linkParams,
    hasChromeOSFeature: false,
    showLinkToAppStore: false,
    publishToAccountChooser: publishToAccountChooser,
    accountChooserDiscoveryUrl: accountChooserDiscoveryUrl,
    preventBrowserFromSavingOktaPassword: preventBrowserFromSavingOktaPassword,
    enableUrlFixForEmbeddedBrowsers: enableUrlFixForEmbeddedBrowsers,
    loginPageUrlRedirect: loginPageUrlRedirect,
    mfaAttestation: hasMfaAttestationFeature,
    enrollingFactor: '',
    signIn: {
      el: '#signin-container',
      baseUrl: baseUrl,
      brandName: 'Okta',
      logo: 'https://ok7static.oktacdn.com/fs/bco/1/fs0oig1kk82ILLpWl356',
      logoText: 'XXXX logo',
      helpSupportNumber: orgSupportPhoneNumber,
      stateToken: stateToken,
      username: username,
      signOutLink: signOutUrl,
      consent: consentFunc,
      authScheme: authScheme,
      relayState: fromUri,
      idpDiscovery: {
        requestContext: idpDiscoveryRequestContext
      },
      features: {
        router: true,
        securityImage: securityImage,
        rememberMe: rememberMe,
        autoPush: autoPush,
        webauthn: webauthn,
        smsRecovery: smsRecovery,
        callRecovery: callRecovery,
        emailRecovery: emailRecovery,
        windowsVerify: windowsVerify,
        selfServiceUnlock: selfServiceUnlock,
        multiOptionalFactorEnroll: true,
        deviceFingerprinting: true,
        useDeviceFingerprintForSecurityImage: true,
        trackTypingPattern: false,
        hideSignOutLinkInMFA: hideSignOutForMFA,
        hideBackToSignInForReset: hideBackToSignInForReset,
        customExpiredPassword: true,
        idpDiscovery: idpDiscovery,
        passwordlessAuth: hasPasswordlessPolicy,
        consent: hasOAuth2ConsentFeature,
        showPasswordToggleOnSignInPage: showPasswordToggleOnSignInPage,
        registration: registration,
        redirectByFormSubmit: redirectByFormSubmit,
        restrictRedirectToForeground: restrictRedirectToForeground,
        hideDefaultTip: hideDefaultTip
      },

      assets: {
        baseUrl: okta.cdnUrlHostname + '/assets/js/mvc/loginpage/i18n'
      },

      language: okta.locale,
      i18n: {},

      customButtons: customButtons,

      piv: pivProperties,

      helpLinks: {
        help: '',
        forgotPassword: '',
        unlock: '',
        custom: customLinks
      }
    }
  };

  loginPageConfig.signIn.i18n[okta.locale] = {
    
    'primaryauth.username.placeholder': usernameLabel,
    'primaryauth.username.tooltip': usernameInlineLabel,
    'primaryauth.password.placeholder': passwordLabel,
    'primaryauth.password.tooltip': passwordInlineLabel,
    'mfa.challenge.password.placeholder': passwordLabel,
    'primaryauth.title': signinLabel,
    'forgotpassword': forgotpasswordLabel,
    'unlockaccount': unlockaccountLabel,
    'help': helpLabel,
    'needhelp': footerHelpTitle,
    'password.forgot.email.or.username.placeholder': recoveryFlowPlaceholder,
    'password.forgot.email.or.username.tooltip': recoveryFlowPlaceholder,
    'account.unlock.email.or.username.placeholder': recoveryFlowPlaceholder,
    'account.unlock.email.or.username.tooltip': recoveryFlowPlaceholder
  };

  function isOldWebBrowserControl() {
    // We no longer support IE7. If we see the MSIE 7.0 browser mode, it's a good signal
    // that we're in a windows embedded browser.
    if (navigator.userAgent.indexOf('MSIE 7.0') === -1) {
      return false;
    }

    // Because the userAgent is the same across embedded browsers, we use feature
    // detection to see if we're running on older versions that do not support updating
    // the documentMode via x-ua-compatible.
    return document.all && !window.atob;
  }

  function isAbsoluteUri(uri) {
    var pat = /^https?:\/\//i;
    return pat.test(uri);
  }

  var unsupportedContainer = document.getElementById('okta-sign-in');

  var failIfCookiesDisabled = true;
  

  // Old versions of WebBrowser Controls (specifically, OneDrive) render in IE7 browser
  // mode, with no way to override the documentMode. In this case, inform the user they need
  // to upgrade.
  if (isOldWebBrowserControl()) {
    document.getElementById('unsupported-onedrive').removeAttribute('style');
    unsupportedContainer.removeAttribute('style');
  }
  else if (failIfCookiesDisabled && !navigator.cookieEnabled) {
    document.getElementById('unsupported-cookie').removeAttribute('style');
    unsupportedContainer.removeAttribute('style');
  }
  else {
    unsupportedContainer.parentNode.removeChild(unsupportedContainer);
    runLoginPage(function () {
      OktaLogin.initLoginPage(loginPageConfig);
    });
  }

}());
</script>

<script>
  window.addEventListener('load', function(event) {
    function applyStyle(id, style) {
      if (style) {
        var el = document.getElementById(id);
        if (el) {
          el.setAttribute('style', style);
        }
      }
    }
    applyStyle('login-bg-image', "background-image: url('https://ok7static.oktacdn.com/fs/bco/7/fs0oinn65InFZvdbi356')");
    applyStyle('login-bg-image-ie8', "filter: progid:DXImageTransform.Microsoft.AlphaImageLoader(src='https://ok7static.oktacdn.com/fs/bco/7/fs0oinn65InFZvdbi356', sizingMethod='scale')");
  });
</script>

</body>
</html>

@alessiostalla
Copy link

This appears to be my org's login page, so I think the redirect is a red herring, something's not working in the previous requests.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dlenski @alessiostalla @arthepsy @mawxcarroll