search

Nike-Inc / gimme-aws-creds

A CLI that utilizes Okta IdP via SAML to acquire temporary AWS credentials
Apache License 2.0
925 stars 263 forks source link

Remember_device = False doesn't work #414

Closed tculp closed 1 year ago

tculp commented 1 year ago

Having remember_device = False and no device_token in the config file still saves a device token.

Expected Behavior

Configuring to not remember a device should not save a device token.

Current Behavior

A device token is saved.

Possible Solution

Updating the logic in handle_action_register_device

One workaround previously was setting device_token = '' in the config file, but it looks like https://github.com/Nike-Inc/gimme-aws-creds/commit/4aee4ed0d58ee7cab3de8a95d6958214ddd097f8 removed that.

Steps to Reproduce (for bugs)

  1. Set remember_device = False in the config file
  2. Run gimme-aws-creds
  3. A device token is saved

Context

Depending on permissions the config file may not be writable, so gimme-aws-creds cannot be used without disabling this feature.

Your Environment

epierce commented 1 year ago

remember_device and the --remember-device, -m flags don't have an affect on the saving of a device token. They set the rememberDevice value that will be sent back to Okta when verifying a MFA challenge - this is the same thing as checking the "Don't prompt me again on this device" checkbox in the Oct login UI. A device token is sent to the client regardless of the value.

If you don't want the config file to be updated, you can set remember_device to any random string.