This article allows 3rd party partners like Crowdstrike, Proofpoint, S1 and others to allow Okta to receive the actual origin IP of the end user using Okta’s Factors API. The objective/goal of this approach is to have Okta Verify (Authenticator) display the end user’s actual origin IP rather than showing UNKNOWN LOCATION or a different location where the API is being triggered upon.
Instructions
- We will refer to Okta’s Factors API available here.
- As part of the Okta Core API documentation, we can leverage the X-Forwarded-For header to have Okta receive another IP address, the actual source IP.
- We would need to create a whitelisted network zone in Okta. The whitelisted IP should contain the IP address where you are calling the Factors API
4. Once you have correctly configured the whitelisted IP where you’re calling the API, you can populate the X-Forwarded-For headers with the end user’s IP. Here are some sample cURL request
curl --location --request POST 'https://oktauniversity-oie.okta.com/api/v1/users/00u1gesndvv0vkU9o697/factors/opf1gestlyME7Wr4m697/verify' \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--header 'Authorization: SSWS <YOUR_API_KEY_HERE>' \
--header 'X-Forwarded-For: 2.50.89.23' \
--header 'Cookie: JSESSIONID=82E854C2B158DDA2EBCFFB3A7A27C1B8' \
--data-raw '{
} '
End User’s Experience:
Okta System Logs:
Extra notes:
We can also override or forward the end user’s actual HTTP user agent.
curl --location --request POST 'https://oktauniversity-oie.okta.com/api/v1/users/00u1gesndvv0vkU9o697/factors/opf1gestlyME7Wr4m697/verify' \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--header 'Authorization: SSWS <YOUR_API_KEY>' \
--header 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36 Edg/104.0.1293.54' \
--header 'X-Forwarded-For: 2.50.89.23' \
--header 'Cookie: JSESSIONID=D09FE56C022F454DAE24AADAE06B8E43' \
--data-raw '{
} '
