From 300ca9c6eef9d8f5e3178e849ec11437803adebe Mon Sep 17 00:00:00 2001
From: Jeff Mitchell <jeff@hashicorp.com>
Date: Tue, 13 Mar 2018 10:39:51 -0400
Subject: [PATCH] Have Okta respect its set max_ttl. (#4111)

Fixes #4110
---
 builtin/credential/okta/path_login.go | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/builtin/credential/okta/path_login.go b/builtin/credential/okta/path_login.go
index 331af5a77..a7a719e24 100644
--- a/builtin/credential/okta/path_login.go
+++ b/builtin/credential/okta/path_login.go
@@ -96,6 +96,21 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, d *framew
 		},
 	}
 
+	if resp.Auth.TTL == 0 {
+		resp.Auth.TTL = b.System().DefaultLeaseTTL()
+	}
+	if cfg.MaxTTL > 0 {
+		maxTTL := cfg.MaxTTL
+		if maxTTL > b.System().MaxLeaseTTL() {
+			maxTTL = b.System().MaxLeaseTTL()
+		}
+
+		if resp.Auth.TTL > maxTTL {
+			resp.Auth.TTL = maxTTL
+			resp.AddWarning(fmt.Sprintf("Effective TTL of '%s' exceeded the effective max_ttl of '%s'; TTL value is capped accordingly", resp.Auth.TTL, maxTTL))
+		}
+	}
+
 	for _, groupName := range groupNames {
 		if groupName == "" {
 			continue