<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z0000A1A1lDCQSOkta Classic EngineAdministrationAnswered2024-03-19T18:29:38.000Z2024-03-05T11:54:23.000Z2024-03-19T18:29:38.000Z

User16355408004815339458 (Customer) asked a question.

March 5, 2024 at 11:54 AM
Is there a way to get plain query got at point of Okta instance?

Hi,

I'm investigating an macOS app that querying Okta every 15 minutes for OIDC app. at Okta.

 

It continue to query even user changes account password which gets auth. failure every 15 minutes.

Developer has been failing to provide the cause why it keeps querying Okta even it is not designed to stop on first auth. failure and forward.

 

Agent's log is like below

2023-12-12 21:50:30.419536+0900 0x438e     Error       0x0                  312    0    kandji-daemon: [io.kandji.KandjiAgent:Requests] Completed with error POST token: 400 (bad request)

2023-12-12 22:05:29.855770+0900 0x9d92     Error       0x0                  312    0    kandji-daemon: [io.kandji.KandjiAgent:Requests] Completed with error POST token: 400 (bad request)

2023-12-12 22:20:29.941488+0900 0xf127     Error       0x0                  312    0    kandji-daemon: [io.kandji.KandjiAgent:Requests] Completed with error POST token: 400 (bad request)

 

And Okta's System Log is like this

/help/servlet/rtaImage?refid=0EM4z000007oTvS

 

 

Apparently, customer working on other while macOS running, their account gets locked out by this consecutive auth failures. Pretty unacceptable.

 

As app. developer does not know what to do about it, I could help them by providing exact request Okta got from the agent.

 

Is there a way to retrieve exact query Okta got on my own?

  • 1 answer
  • 298 views

  • Mihai Negoita - Okta (Okta, Inc.)

    Hi @User16355408004815339458 (Customer)​ , Thank you for reaching out to the Okta Community! 

     

    If you’ve confirmed that the behavior is consistent, as in - the request is always coming from the same device/IP - you might be able to rule out malicious events.  

    Assuming that the events are caused by an authentication request triggered by some kind of app on the user’s machine, I would recommend looking into where the user’s credentials are required. 

    I’ve seen similar behavior when users changed their Okta password but forgot to update it in their Outlook desktop app for example. The Outlook app kept trying to re-authenticate automatically with the old credentials it had stored, causing the user’s account to be locked.  

    Judging by the log information you’ve provided, I assume the user has some kind of Kandji client installed on their device, which may be trying to automatically re-authenticate, but it’s using the wrong credentials. 

     

     

     

    If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you. 

     

    Hope my answer helps! 

     

    --------------------------------

    Ask the Experts: Okta Device Access Product Team Now Thru 3/22

    Expand Post
    Selected as Best

  • Mihai Negoita - Okta (Okta, Inc.)

    Hi @User16355408004815339458 (Customer)​ , Thank you for reaching out to the Okta Community! 

     

    If you’ve confirmed that the behavior is consistent, as in - the request is always coming from the same device/IP - you might be able to rule out malicious events.  

    Assuming that the events are caused by an authentication request triggered by some kind of app on the user’s machine, I would recommend looking into where the user’s credentials are required. 

    I’ve seen similar behavior when users changed their Okta password but forgot to update it in their Outlook desktop app for example. The Outlook app kept trying to re-authenticate automatically with the old credentials it had stored, causing the user’s account to be locked.  

    Judging by the log information you’ve provided, I assume the user has some kind of Kandji client installed on their device, which may be trying to automatically re-authenticate, but it’s using the wrong credentials. 

     

     

     

    If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you. 

     

    Hope my answer helps! 

     

    --------------------------------

    Ask the Experts: Okta Device Access Product Team Now Thru 3/22

    Expand Post
    Selected as Best
This question is closed.
Loading
Is there a way to get plain query got at point of Okta instance?