Brightspace
diff --git a/‎src/D2L.Bmx/AwsCredsCreator.cs
+9-9 b/‎src/D2L.Bmx/AwsCredsCreator.cs
+9-9
diff --git a/‎src/D2L.Bmx/Okta/Models/AuthenticateResponse.cs
+2 b/‎src/D2L.Bmx/Okta/Models/AuthenticateResponse.cs
+2
diff --git a/‎src/D2L.Bmx/Okta/OktaApi.cs ‎src/D2L.Bmx/Okta/OktaClient.cs
+80-71 b/‎src/D2L.Bmx/Okta/OktaApi.cs ‎src/D2L.Bmx/Okta/OktaClient.cs
+80-71
@@ -18,7 +18,7 @@ internal class AwsCredsCreator(
 	BmxConfig config
 ) {
 	public async Task<AwsCredentialsInfo> CreateAwsCredsAsync(
-		AuthenticatedOktaApi oktaApi,
+		OktaAuthenticatedContext okta,
 		string? account,
 		string? role,
 		int? duration,
@@ -66,8 +66,8 @@ bool cache
 		// if using cache, avoid calling Okta at all if possible
 		if( cache && !string.IsNullOrEmpty( account ) && !string.IsNullOrEmpty( role ) ) {
 			var cachedCredentials = awsCredentialCache.GetCredentials(
-				org: oktaApi.Org,
-				user: oktaApi.User,
+				org: okta.Org,
+				user: okta.User,
 				accountName: account,
 				roleName: role,
 				duration: duration.Value
@@ -82,7 +82,7 @@ bool cache
 			}
 		}
 
-		OktaApp[] awsApps = await oktaApi.Api.GetAwsAccountAppsAsync();
+		OktaApp[] awsApps = await okta.Client.GetAwsAccountAppsAsync();
 
 		if( string.IsNullOrEmpty( account ) ) {
 			if( nonInteractive ) {
@@ -97,7 +97,7 @@ bool cache
 			app => app.Label.Equals( account, StringComparison.OrdinalIgnoreCase )
 		) ?? throw new BmxException( $"Account {account} could not be found" );
 
-		string loginHtml = await oktaApi.Api.GetPageAsync( selectedAwsApp.LinkUrl );
+		string loginHtml = await okta.Client.GetPageAsync( selectedAwsApp.LinkUrl );
 		string samlResponse = HtmlXmlHelper.GetSamlResponseFromLoginPage( loginHtml );
 		AwsRole[] rolesData = HtmlXmlHelper.GetRolesFromSamlResponse( samlResponse );
 
@@ -112,8 +112,8 @@ bool cache
 		// try getting from cache again even if calling Okta is inevitable (we still avoid the AWS call)
 		if( cache ) {
 			var cachedCredentials = awsCredentialCache.GetCredentials(
-				org: oktaApi.Org,
-				user: oktaApi.User,
+				org: okta.Org,
+				user: okta.User,
 				accountName: account,
 				roleName: role,
 				duration: duration.Value
@@ -141,8 +141,8 @@ bool cache
 
 		if( cache ) {
 			awsCredentialCache.SetCredentials(
-				org: oktaApi.Org,
-				user: oktaApi.User,
+				org: okta.Org,
+				user: okta.User,
 				accountName: selectedAwsApp.Label,
 				roleName: selectedRoleData.RoleName,
 				credentials: credentials
 
@@ -1,10 +1,12 @@
+using System.Net;
 using System.Text.Json.Serialization;
 
 namespace D2L.Bmx.Okta.Models;
 
 internal abstract record AuthenticateResponse {
 	public record MfaRequired( string StateToken, OktaMfaFactor[] Factors ) : AuthenticateResponse;
 	public record Success( string SessionToken ) : AuthenticateResponse;
+	public record Failure( HttpStatusCode StatusCode ) : AuthenticateResponse;
 }
 
 internal record AuthenticateResponseRaw(
 
@@ -1,62 +1,72 @@
 using System.Net;
-using System.Net.Http.Headers;
 using System.Net.Http.Json;
 using System.Text.Json;
 using D2L.Bmx.Okta.Models;
 
 namespace D2L.Bmx.Okta;
 
-internal interface IOktaApi {
-	void SetOrganization( string organization );
-	void AddSession( string sessionId );
+internal interface IOktaClientFactory {
+	IOktaAnonymousClient CreateAnonymousClient( string org );
+	IOktaAuthenticatedClient CreateAuthenticatedClient( string org, string sessionId );
+}
+
+internal interface IOktaAnonymousClient {
 	Task<AuthenticateResponse> AuthenticateAsync( string username, string password );
 	Task IssueMfaChallengeAsync( string stateToken, string factorId );
 	Task<AuthenticateResponse> VerifyMfaChallengeResponseAsync(
 		string stateToken,
 		string factorId,
-		string challengeResponse );
+		string challengeResponse
+	);
 	Task<OktaSession> CreateSessionAsync( string sessionToken );
-	Task<OktaApp[]> GetAwsAccountAppsAsync();
-	Task<string> GetPageAsync( string samlLoginUrl );
 }
 
-internal class OktaApi : IOktaApi {
-	private readonly CookieContainer _cookieContainer;
-	private readonly HttpClient _httpClient;
-	private string? _organization;
+internal interface IOktaAuthenticatedClient {
+	Task<OktaApp[]> GetAwsAccountAppsAsync();
+	Task<string> GetPageAsync( string url );
+}
 
-	public OktaApi() {
-		_cookieContainer = new CookieContainer();
-		_httpClient = new HttpClient( new HttpClientHandler { CookieContainer = _cookieContainer } ) {
-			Timeout = TimeSpan.FromSeconds( 30 )
+internal class OktaClientFactory : IOktaClientFactory {
+	IOktaAnonymousClient IOktaClientFactory.CreateAnonymousClient( string org ) {
+		var httpClient = new HttpClient {
+			Timeout = TimeSpan.FromSeconds( 30 ),
+			BaseAddress = GetBaseAddress( org ),
 		};
-		_httpClient.DefaultRequestHeaders.Accept.Add( new MediaTypeWithQualityHeaderValue( "application/json" ) );
+		return new OktaAnonymousClient( httpClient );
 	}
 
-	void IOktaApi.SetOrganization( string organization ) {
-		_organization = organization;
-		if( !organization.Contains( '.' ) ) {
-			_httpClient.BaseAddress = new Uri( $"https://{organization}.okta.com/api/v1/" );
-		} else {
-			_httpClient.BaseAddress = new Uri( $"https://{organization}/api/v1/" );
-		}
+	IOktaAuthenticatedClient IOktaClientFactory.CreateAuthenticatedClient( string org, string sessionId ) {
+		var baseAddress = GetBaseAddress( org );
+
+		var cookieContainer = new CookieContainer();
+		cookieContainer.Add( new Cookie( "sid", sessionId, "/", baseAddress.Host ) );
+
+		var httpClient = new HttpClient( new SocketsHttpHandler {
+			CookieContainer = cookieContainer,
+		} ) {
+			Timeout = TimeSpan.FromSeconds( 30 ),
+			BaseAddress = baseAddress,
+		};
+
+		return new OktaAuthenticatedClient( httpClient );
 	}
 
-	void IOktaApi.AddSession( string sessionId ) {
-		if( _httpClient.BaseAddress is not null ) {
-			_cookieContainer.Add( new Cookie( "sid", sessionId, "/", _httpClient.BaseAddress.Host ) );
-		} else {
-			throw new InvalidOperationException( "Error adding session: http client base address is not defined" );
-		}
+	private static Uri GetBaseAddress( string org ) {
+		return org.Contains( '.' )
+			? new Uri( $"https://{org}/api/v1/" )
+			: new Uri( $"https://{org}.okta.com/api/v1/" );
 	}
+}
 
-	async Task<AuthenticateResponse> IOktaApi.AuthenticateAsync( string username, string password ) {
+internal class OktaAnonymousClient( HttpClient httpClient ) : IOktaAnonymousClient {
+	async Task<AuthenticateResponse> IOktaAnonymousClient.AuthenticateAsync( string username, string password ) {
 		HttpResponseMessage resp;
 		try {
-			resp = await _httpClient.PostAsJsonAsync(
+			resp = await httpClient.PostAsJsonAsync(
 				"authn",
 				new AuthenticateRequest( username, password ),
-				JsonCamelCaseContext.Default.AuthenticateRequest );
+				JsonCamelCaseContext.Default.AuthenticateRequest
+			);
 		} catch( Exception ex ) {
 			throw new BmxException( "Okta authentication request failed.", ex );
 		}
@@ -65,7 +75,8 @@ async Task<AuthenticateResponse> IOktaApi.AuthenticateAsync( string username, st
 		try {
 			authnResponse = await JsonSerializer.DeserializeAsync(
 				await resp.Content.ReadAsStreamAsync(),
-				JsonCamelCaseContext.Default.AuthenticateResponseRaw );
+				JsonCamelCaseContext.Default.AuthenticateResponseRaw
+			);
 		} catch( Exception ex ) {
 			throw new BmxException( "Okta authentication failed. Okta returned an invalid response", ex );
 		}
@@ -87,16 +98,36 @@ await resp.Content.ReadAsStreamAsync(),
 			);
 		}
 
-		string org = _organization ?? "unknown";
-		throw new BmxException( $"""
-			Okta authentication for user '{username}' in org '{org}' failed.
-			Check if org, user, and password is correct.
-			""" );
+		return new AuthenticateResponse.Failure( resp.StatusCode );
 	}
 
-	async Task IOktaApi.IssueMfaChallengeAsync( string stateToken, string factorId ) {
+	async Task<OktaSession> IOktaAnonymousClient.CreateSessionAsync( string sessionToken ) {
+		HttpResponseMessage resp;
 		try {
-			var response = await _httpClient.PostAsJsonAsync(
+			resp = await httpClient.PostAsJsonAsync(
+				"sessions",
+				new CreateSessionRequest( sessionToken ),
+				JsonCamelCaseContext.Default.CreateSessionRequest );
+			resp.EnsureSuccessStatusCode();
+		} catch( Exception ex ) {
+			throw new BmxException( "Request to create Okta Session failed.", ex );
+		}
+
+		OktaSession? session;
+		try {
+			session = await JsonSerializer.DeserializeAsync(
+			await resp.Content.ReadAsStreamAsync(),
+			JsonCamelCaseContext.Default.OktaSession );
+		} catch( Exception ex ) {
+			throw new BmxException( "Error creating Okta Session. Okta returned an invalid response", ex );
+		}
+
+		return session ?? throw new BmxException( "Error creating Okta Session." );
+	}
+
+	async Task IOktaAnonymousClient.IssueMfaChallengeAsync( string stateToken, string factorId ) {
+		try {
+			var response = await httpClient.PostAsJsonAsync(
 			$"authn/factors/{factorId}/verify",
 			new IssueMfaChallengeRequest( stateToken ),
 			JsonCamelCaseContext.Default.IssueMfaChallengeRequest );
@@ -107,7 +138,7 @@ async Task IOktaApi.IssueMfaChallengeAsync( string stateToken, string factorId )
 		}
 	}
 
-	async Task<AuthenticateResponse> IOktaApi.VerifyMfaChallengeResponseAsync(
+	async Task<AuthenticateResponse> IOktaAnonymousClient.VerifyMfaChallengeResponseAsync(
 		string stateToken,
 		string factorId,
 		string challengeResponse
@@ -117,7 +148,7 @@ string challengeResponse
 			PassCode: challengeResponse );
 		HttpResponseMessage resp;
 		try {
-			resp = await _httpClient.PostAsJsonAsync(
+			resp = await httpClient.PostAsJsonAsync(
 				$"authn/factors/{factorId}/verify",
 				request,
 				JsonCamelCaseContext.Default.VerifyMfaChallengeResponseRequest );
@@ -137,37 +168,15 @@ await resp.Content.ReadAsStreamAsync(),
 		if( authnResponse?.SessionToken is not null ) {
 			return new AuthenticateResponse.Success( authnResponse.SessionToken );
 		}
-		throw new BmxException( "Error verifying MFA with Okta." );
-	}
-
-	async Task<OktaSession> IOktaApi.CreateSessionAsync( string sessionToken ) {
-		HttpResponseMessage resp;
-		try {
-			resp = await _httpClient.PostAsJsonAsync(
-				"sessions",
-				new CreateSessionRequest( sessionToken ),
-				JsonCamelCaseContext.Default.CreateSessionRequest );
-			resp.EnsureSuccessStatusCode();
-		} catch( Exception ex ) {
-			throw new BmxException( "Request to create Okta Session failed.", ex );
-		}
-
-		OktaSession? session;
-		try {
-			session = await JsonSerializer.DeserializeAsync(
-			await resp.Content.ReadAsStreamAsync(),
-			JsonCamelCaseContext.Default.OktaSession );
-		} catch( Exception ex ) {
-			throw new BmxException( "Error creating Okta Session. Okta returned an invalid response", ex );
-		}
-
-		return session ?? throw new BmxException( "Error creating Okta Session." );
+		return new AuthenticateResponse.Failure( resp.StatusCode );
 	}
+}
 
-	async Task<OktaApp[]> IOktaApi.GetAwsAccountAppsAsync() {
+internal class OktaAuthenticatedClient( HttpClient httpClient ) : IOktaAuthenticatedClient {
+	async Task<OktaApp[]> IOktaAuthenticatedClient.GetAwsAccountAppsAsync() {
 		OktaApp[]? apps;
 		try {
-			apps = await _httpClient.GetFromJsonAsync(
+			apps = await httpClient.GetFromJsonAsync(
 				"users/me/appLinks",
 				JsonCamelCaseContext.Default.OktaAppArray );
 		} catch( Exception ex ) {
@@ -178,7 +187,7 @@ async Task<OktaApp[]> IOktaApi.GetAwsAccountAppsAsync() {
 				?? throw new BmxException( "Error retrieving AWS accounts from Okta." );
 	}
 
-	async Task<string> IOktaApi.GetPageAsync( string samlLoginUrl ) {
-		return await _httpClient.GetStringAsync( samlLoginUrl );
+	async Task<string> IOktaAuthenticatedClient.GetPageAsync( string url ) {
+		return await httpClient.GetStringAsync( url );
 	}
 }