From c582e3ab4c50734ef33cdbf1dfe6c2ec3e86aaaa Mon Sep 17 00:00:00 2001
From: Blake Hitchcock <rbhitchcock@gmail.com>
Date: Thu, 12 Aug 2021 21:32:51 -0500
Subject: [PATCH 1/2] Send x-forwarded-for in Okta Push Factor request

Why:

In order for Okta to properly report the location of the authentication
attempt, the X-Forwarded-For header must be included in the request to
Okta (if it exists).

This change addresses the need by:

* Duplicating the value of X-Forwarded-For if it's passed through to the
  auth backend
---
 builtin/credential/okta/backend.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/builtin/credential/okta/backend.go b/builtin/credential/okta/backend.go
index 6046e282c69f8..463f3277d9e87 100644
--- a/builtin/credential/okta/backend.go
+++ b/builtin/credential/okta/backend.go
@@ -3,6 +3,7 @@ package okta
 import (
 	"context"
 	"fmt"
+	"net/textproto"
 	"time"
 
 	"github.com/hashicorp/vault/helper/mfa"
@@ -216,6 +217,9 @@ func (b *backend) Login(ctx context.Context, req *logical.Request, username, pas
 		if err != nil {
 			return nil, nil, nil, err
 		}
+		if len(req.Headers["X-Forwarded-For"]) > 0 {
+			verifyReq.Header.Set("X-Forwarded-For", req.Headers[textproto.CanonicalMIMEHeaderKey("X-Forwarded-For")][0])
+		}
 
 		rsp, err := shim.Do(verifyReq, &result)
 		if err != nil {

From e656c8edcc82038b868cb6e14df9c83f403e0137 Mon Sep 17 00:00:00 2001
From: Blake Hitchcock <rbhitchcock@gmail.com>
Date: Thu, 12 Aug 2021 21:45:27 -0500
Subject: [PATCH 2/2] Add changelog entry for 12320

---
 changelog/12320.txt | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 changelog/12320.txt

diff --git a/changelog/12320.txt b/changelog/12320.txt
new file mode 100644
index 0000000000000..f6091e1036c56
--- /dev/null
+++ b/changelog/12320.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+auth/okta: Send x-forwarded-for in Okta Push Factor request
+```