From d3192b8e70527ecdd96a9041e767e2da5c6fd8bc Mon Sep 17 00:00:00 2001
From: Dustin Schultz <schultz.dustin@gmail.com>
Date: Tue, 25 Jan 2022 15:23:51 -0700
Subject: [PATCH] 233 - Handle PASSWORD_EXPIRED from Okta by clearing password
 from keyring

---
 gimme_aws_creds/okta.py | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/gimme_aws_creds/okta.py b/gimme_aws_creds/okta.py
index c7c21cd0..541d84ef 100644
--- a/gimme_aws_creds/okta.py
+++ b/gimme_aws_creds/okta.py
@@ -315,6 +315,14 @@ def _next_login_step(self, state_token, login_data):
                 return self._check_push_result(state_token, login_data)
             else:
                 return self._login_input_mfa_challenge(state_token, login_data['_links']['next']['href'])
+        elif status == 'PASSWORD_EXPIRED':
+            if self.KEYRING_ENABLED:
+                try:
+                    creds = self._get_username_password_creds()
+                    keyring.delete_password(self.KEYRING_SERVICE, creds['username'])
+                    raise errors.GimmeAWSCredsError('Stored password is expired and has been cleared from keyring.  Please try again')
+                except PasswordDeleteError:
+                    raise errors.GimmeAWSCredsError('Stored password is expired but got error deleting it from keyring.  Please try again')
         else:
             raise RuntimeError('Unknown login status: ' + status)