SNOW-1647589: Fix NullPointerException when MFA is enabled in Okta

snowflakedb · Sep 4, 2024 · 22de3f1 · 22de3f1
1 parent 21c1e32
commit 22de3f1
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 3 deletions.
diff --git a/src/main/java/net/snowflake/client/core/SessionUtil.java b/src/main/java/net/snowflake/client/core/SessionUtil.java
@@ -1266,6 +1266,7 @@ private static String federatedFlowStep3(SFLoginInput loginInput, String tokenUr
       throws SnowflakeSQLException {
 
     String oneTimeToken = "";
+    boolean isMfaEnabledInOkta;
     try {
       URL url = new URL(tokenUrl);
       URI tokenUri = url.toURI();
@@ -1302,17 +1303,32 @@ private static String federatedFlowStep3(SFLoginInput loginInput, String tokenUr
               null,
               loginInput.getHttpClientSettingsKey());
 
-      logger.debug("User is authenticated against {}.", loginInput.getAuthenticator());
-
       // session token is in the data field of the returned json response
       final JsonNode jsonNode = mapper.readTree(idpResponse);
+      isMfaEnabledInOkta = jsonNode.get("status").asText().equals("MFA_REQUIRED");
+      if (isMfaEnabledInOkta) {
+        SnowflakeSQLException ex =
+            new SnowflakeSQLLoggedException(
+                null,
+                ErrorCode.OKTA_MFA_NOT_SUPPORTED.getMessageCode(),
+                SqlState.FEATURE_NOT_SUPPORTED,
+                "MFA enabled in Okta is not supported with this authenticator type. "
+                    + "Please use 'externalbrowser' instead or a different authentication method.");
+
+        logger.error(
+            "MFA enabled in Okta is not supported with this authenticator type. "
+                + "Please use 'externalbrowser' instead or a different authentication method.",
+            ex);
+        throw ex;
+      }
       oneTimeToken =
           jsonNode.get("sessionToken") != null
               ? jsonNode.get("sessionToken").asText()
               : jsonNode.get("cookieToken").asText();
     } catch (IOException | URISyntaxException ex) {
       handleFederatedFlowError(loginInput, ex);
     }
+    logger.debug("User is authenticated against {}.", loginInput.getAuthenticator());
     return oneTimeToken;
   }
 

diff --git a/src/main/java/net/snowflake/client/jdbc/ErrorCode.java b/src/main/java/net/snowflake/client/jdbc/ErrorCode.java
@@ -83,7 +83,8 @@ public enum ErrorCode {
   INVALID_OKTA_USERNAME(200060, SqlState.CONNECTION_EXCEPTION),
   GCP_SERVICE_ERROR(200061, SqlState.SYSTEM_ERROR),
   AUTHENTICATOR_REQUEST_TIMEOUT(200062, SqlState.CONNECTION_EXCEPTION),
-  INVALID_STRUCT_DATA(200063, SqlState.DATA_EXCEPTION);
+  INVALID_STRUCT_DATA(200063, SqlState.DATA_EXCEPTION),
+  OKTA_MFA_NOT_SUPPORTED(200064, SqlState.FEATURE_NOT_SUPPORTED);
 
   public static final String errorMessageResource = "net.snowflake.client.jdbc.jdbc_error_messages";