The okta-aws-cli project on GitHub notes that in OIE the OIDC native app should have equivalent policies to the AWS Account Federation app(s) or else more stringent policies on the AWS app(s) may result in a 400 Bad Request error:
Attempt login with gimme-aws-creds, open browser when prompted by OIE login, perform MFA as prompted, return to CLI to complete transaction.
Current Behavior
Attempt login with gimme-aws-creds, open browser when prompted by OIE login, perform MFA as prompted, return to CLI and find it has received a 400 Bad Request error.
Possible Solution
Updating the OIDC Native Application in Okta to use matching Authentication Policy to the AWS Account Federation app(s) returns behavior to "Expected Behavior"
Steps to Reproduce (for bugs)
Attempt login with gimme-aws-creds
Open browser when prompted by OIE login
Perform MFA as prompted
Return to CLI to observe results; may need to select role to complete attempt to receive token
Context
This may help others who think that MFA suddenly does not work as of upgrading to OIE. Note that this issue also impacts okta-aws-cli if Authentication Policy is more stringent on the AWS Account Federation app than on the OIDC Native App.
The
okta-aws-cli
project on GitHub notes that in OIE the OIDC native app should have equivalent policies to the AWS Account Federation app(s) or else more stringent policies on the AWS app(s) may result in a400 Bad Request
error:https://github.com/okta/okta-aws-cli#recommendations
Expected Behavior
Attempt login with
gimme-aws-creds
, open browser when prompted by OIE login, perform MFA as prompted, return to CLI to complete transaction.Current Behavior
Attempt login with
gimme-aws-creds
, open browser when prompted by OIE login, perform MFA as prompted, return to CLI and find it has received a400 Bad Request
error.Possible Solution
Updating the OIDC Native Application in Okta to use matching Authentication Policy to the AWS Account Federation app(s) returns behavior to "Expected Behavior"
Steps to Reproduce (for bugs)
gimme-aws-creds
Context
This may help others who think that MFA suddenly does not work as of upgrading to OIE. Note that this issue also impacts
okta-aws-cli
if Authentication Policy is more stringent on the AWS Account Federation app than on the OIDC Native App.Your Environment