-sts get-caller-identity not working

[berridgd]

Describe the bug I followed the documentation here...

https://support.okta.com/help/s/article/Integrating-the-Amazon-Web-Services-Command-Line-Interface-Using-Okta

but when I run -sts get-caller-identity command an empty Java window appears and I have no options to move forward.

To Reproduce Follow steps here...

https://support.okta.com/help/s/article/Integrating-the-Amazon-Web-Services-Command-Line-Interface-Using-Okta

Expected behavior Get a caller identity?

[AlainODea]

UPDATE: correct link to readme

A common issue is using a URL for OKTA_ORG. It has to be a domain name, not a URL. Make sure OKTA_ORG in config.properties looks like example.okta.com (correct) rather than https://example.okta.com/ (incorrect).

Also make sure the OKTA_AWS_APP_URL is correct by visiting it in a regular browser. It should take you to the AWS Console or an AWS role selection page after you authenticate to Okta.

If that doesn't work, I would try the instructions in README.md first and see if you still have issues. That guide may no longer be accurate.

Caveat: there is a significant known issue with the latest release affecting Okta Push and SMS MFA: #284

It doesn't affect any MFA if you use OKTA_BROWSER_AUTH=true (the default with the installer), so if you use that it should be fine.

[berridgd]

I have validated the OKTA_ORG and OKTA_AWS_APP_URL are set to the correct values so I went to the readme.md and I noticed I missed a step. The last step for the Manual Install is to 'Copy scripts from .okta/bin to somewhere on your PATH'. Unfortunately I did not find a bin folder when I opened the jar file.

[AlainODea]

@berridgd the step to copy scripts from .okta/bin is no longer valid unfortunately. The installer script should configure PowerShell or Bash properly to have the expected commands available.

[berridgd]

@AlainODea I've reinstalled with the PowerShell install script but I am getting this error when I run okta-aws test...

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

[AlainODea]

That error happens because the certificate presented by the site isn't trusted by your JRE.

Are you on the latest Java 8 or 11 release? Earlier releases have outdated CA certs and may impact this.

Is there a TLS decrypting proxy between your machine and yourorg.okta.com? If so, it's decrypting CA cert will need to be added to your JRE's trust store. I can't help with that, but there is guidance online.

[berridgd]

@AlainODea I added OKTA_BROWSER_AUTH=true and OKTA_USERNAME back into the config.properties file and the error went away but the Java window that pops up is still empty. My java version is 1.8.

[berridgd]

This is what the Java window looks like...

[AlainODea]

@berridgd is there anything logged to the console?

I suspect the issue is the same, but it's just not getting logged for some reason.

There is the possibility of JavaFX WebView logging, but it goes from silent to firehose rapidly as logging granularity is ramped up.

[berridgd]

@AlainODea I am running this in a PowerShell session and nothing is logged to the console. When I run the command 'aws-okta test -sts get-caller-identity' the window pops up and then when I close the window the command finishes in the console with no output. Is there a flag I can pass the command to see more logging?

[AlainODea]

In $HOME.okta\ there should be a file called logging.properties.

If you add this line, you'll get a firehose of additional logging:

com.sun.webkit.WebPage.level = FINE

I get 89 log events (188 lines) of logging on a healthy login with that enabled. It should give you browser-level console events in fairly high detail.

There are other WebEngine logs accessible, but I haven't had cause to enable or use them.

[berridgd]

I added the line to logging.properties file but it did not produce any logs. I am going to clean install at this point.

[berridgd]

Unfortunately I am still experiencing the same issues after a clean install; empty java window and no logging output.

[pierresteiner]

I do have the same problem.

It already happened in the past and we had to revert to an older version of Java to get it working.

I am running: java version "1.8.0_211"

[barkayw]

I thought that I have the same problem...While I got that error: "javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"

This happened only while I connected over proxy when I connect over the internet it works fine. I work with the security team to fix this issue.

[berridgd]

I have manually installed an older version (1.0.10) and run the awscli command and I am getting a little further now. Now the window that pops up is not blank but says 'Connecting to' 'Sign in with your account to access aws' but there is no input for my credentials?