monde
commented
6 months ago hi @joshgch , the current format okta-aws-cli/2.1.1 (go1.22.0; darwin; amd64) is similar to the human web browser user agent formats. For example: Mozilla/5.0 (iPad; U; CPU OS 3_2_1 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Mobile/7B405 see https://en.wikipedia.org/wiki/User-Agent_header
We use the user agent string to categorize usage with our internal logging system. Going with your suggestion reduces the usage signal we collect.
All that said, I know this subject of Okta auth policies has come up before. I'll ping our PM. Also, can you open a support case https://support.okta.com/ . The more support cases this subject gets the more pressure there will be on the feature team that owns authentication policies to support this.
/cc @jefftaylor-okta
joshgch
My org would like to craft Okta authentication policies that allow the
okta-aws-cliUser Agent under certain conditions. Unfortunately, the User Agent is currently very complex and difficult to predict.Currently, the go version used for the build is included. It would significantly improve things for our policy if it were omitted. For example, with a single version of okta-aws with the same OS and architecture, we can see several different UA patterns:
My proposed solution would be to at least remove the go version from the UA if not all build information:
Current example:
okta-aws-cli/2.0.1 (go1.21.6; darwin; amd64)Better solution without go build:
okta-aws-cli/2.0.1 (darwin; amd64)Best solution with no build info:
okta-aws-cli/2.0.1