Blake Grosskopf
All work

Identity Complete

Okta OIE Credential-Validation Oracle

Reverse-engineered Okta's Identity Engine sign-in flow into an unauthenticated, internet-reachable credential-validation oracle — using only a public OAuth client — then shipped it defense-forward.

Attack path pivotal step highlighted
  1. 01 Capture in Burp
  2. 02 authorize browser fingerprint
  3. 03 introspect stateHandle
  4. 04 identify → verdict 200 / 401

Scope

Every result here was produced against an Okta organization I own and control, from my own external egress, using only that org’s public first-party OAuth client. No third-party tenant, account, or user was ever touched. This case study is deliberately defense-forward: it documents the reverse-engineering methodology, the findings, and — most importantly — the tenant hardening and detection that neutralize the technique. The assembled, runnable tool is intentionally not published.

The question that started it: modern Okta orgs run the Identity Engine (OIE), whose browser sign-in is a multi-step /idp/idx/ transaction — a different protocol from the legacy Classic endpoint that virtually every public Okta spraying tool targets. So what actually happens when you try to validate credentials against OIE from off-network, and what really gates it?

Recon — capturing a black box

Starting from a password-spray attempt that hit a brick wall, I captured the hosted sign-in widget’s traffic in Burp Suite and isolated the token-minting mechanics. The widget performs a three-call chain — authorizeintrospectidentify — and the goal was to reproduce it headlessly using nothing but the org’s public End-User Dashboard client_id, discoverable from the sign-in page. No registered app, no API token, no prior session.

Finding — four non-obvious behaviors, one clean oracle

A naive script fails on this flow for four separate reasons, and finding each one was the work:

  1. Silent-SSO bounce. Any request carrying a session gets redirected to the dashboard and never sees a challenge. A cookieless client forces the unauthenticated sign-in render.
  2. Tokenless SPA shell. A non-browser request to authorize gets a bare JavaScript bootstrap with no stateToken. Sending a full browser fingerprint (real User-Agent and Accept-Language) makes Okta server-inject the token into the same page — so token presence is a fingerprint/auth-state function, not a JS-execution one.
  3. Wrong bootstrap assumption. The org advertises no interaction-code grant, so it uses the classic server-injected stateToken flow, not the embedded mint. Chasing the XHR path was a dead end.
  4. Identifier-first vs. single-page. Submitting a username alone returned an error and re-served the page — proving this is a single-page flow where username and password are submitted together, and the verdict lives on that response.

Put together, the flow becomes a credential-validation oracle: a clean binary verdict (valid / invalid) per credential pair, reachable from any internet egress, requiring no session. Supporting details mattered too — the injected token is JS-escaped and must be unescaped, a single HTTP session carries the redirect cookies through the IDX calls, and a per-attempt PKCE challenge is generated. This is the exact external credential-validation primitive behind the 0ktapus / Scattered Spider intrusion pattern.

Impact — what actually gates external spraying

The precise answer, which most guidance gets wrong: pre-password gating is the only thing that stops it. Okta Network Zones / Dynamic Zones and ThreatInsight in block mode return a rejection before the password is evaluated, and from an untrusted egress the oracle is then unreachable. MFA does not neutralize it — the password is still validated; MFA is a later, separate hurdle. The severity is not an Okta zero-day: the sign-in surface is internet-facing by design. It is a defense-in-depth gap whose ceiling is set by MFA coverage and password hygiene.

Remediation — the hardening playbook

The tool doubles as a checklist of what a hardened tenant must do:

  • Network Zones / Dynamic Zones — restrict authentication to expected geographies and ranges; block anonymizers, Tor, and known-bad ASNs. This directly defeats external spray.
  • ThreatInsight in “Log and block” — log-only mode does not stop the technique.
  • Universal phishing-resistant MFA (FIDO2/WebAuthn) — collapses impact even when a password is confirmed.
  • Detection in the Okta System Log — alert on many distinct usernames failing from a single IP or ASN in a short window, and on security.threat.detected. Low-and-slow is the gap velocity rules must cover.

Why the tool stays private

The reverse-engineering, the findings, and the defenses are exactly the parts a defender needs — so they ship. The assembled, runnable oracle mirrors a live intrusion pattern used against real organizations, so it does not. That line — publishing the understanding while withholding the weapon — is the professional judgment the project is meant to demonstrate as much as the reverse-engineering itself.

AFindings

SeverityFindingATT&CKRecommendation
high Unauthenticated oracle reachable when pre-password gating is absent T1110.003 Enforce Okta Network Zones / Dynamic Zones and ThreatInsight in block mode — the only controls that neutralize the oracle before the password is checked.
high Legacy Classic-authn tooling misses the OIE flow entirely T1110.004 Test the actual /idp/idx sign-in surface; passing a Classic-authn spray tool is false assurance.
medium MFA does not stop password validation T1621 Deploy universal phishing-resistant MFA (FIDO2) so a confirmed password can't be leveraged, and enforce password hygiene.
medium Low-and-slow spraying stays under lockout thresholds T1078.004 Alert in the System Log on many distinct users failing from one IP/ASN; tune velocity + behavioral detection.

BMITRE ATT&CK

  • T1110.003 Brute Force: Password Spraying Credential Access
  • T1110.004 Brute Force: Credential Stuffing Credential Access
  • T1087.004 Account Discovery: Cloud Account Discovery
  • T1078.004 Valid Accounts: Cloud Accounts Initial Access / Persistence
  • T1621 Multi-Factor Authentication Request Generation Credential Access

What this demonstrates

I can take an undocumented, black-box auth surface, reverse-engineer it from captured traffic into a precise model of how it works, and — just as importantly — decide what to publish. The methodology, findings, and defenses ship; the assembled weapon does not.