Custom Domains Allowed in okta_org_url But Not app_url

[straub]

Hey folks,

It seems _get_org_url_entry was updated to allow custom domains by validating /.well-known/okta-organization, but _get_appurl_entry is still looking for the specific allowlist domains (okta.com, oktapreview.com, okta-emea.com).

This appears to only affect --action-configure. If I manually configure app_url in my .okta_aws_login_config, it accepts the custom domain without complaint.

Expected Behavior

--action-configure should allow custom domains to be used in app_url.

Current Behavior

Receive an error from --action-configure:

Okta organization URL must be HTTPS URL for okta.com or oktapreview.com or okta-emea.com domain

which originates here: https://github.com/Nike-Inc/gimme-aws-creds/blob/094a3292e3b6bf63006f63043a86a757fba06ce5/gimme_aws_creds/config.py#L421 (It appears the warning is also referring to the wrong entry?)

Possible Solution

Update _get_appurl_entry with the same logic as _get_org_url_entry, or to validate the app_url against the okta_org_url instead of the static allowlist?

Steps to Reproduce (for bugs)

1. Attempt to provide a custom domain to --action-configure's "Application url" prompt.

Context

My team is currently configuring .okta_aws_login_config with our custom Okta domain, to work around the --action-configure limitation.

Your Environment

• App Version used: 2.7.2
• Environment name and version: MacBook Pro Apple M1 Max
• Operating System and version: MacOS 13.5.2

[epierce]

The error you're getting is because the provided URL didn't start with https:// - if the /.well-known/okta-organization file isn't found, you'll see the following message: {okta_url} is not a valid Okta domain

[bdo]

Hi, I'm a developer working at Warner Bros. Discovery and we've come across the same bug.

I have seen the same behaviour with a proper corporate OKTA https URL and looking at the gimme-aws-creds code, I come to the same conclusion as @straub.

Can you please reopen this issue?

cc. @epierce