Allow forcing Device Token with Okta Identity Engine #469
Description
Expected Behavior
I want to use device tokens with Okta Identity Engine. The last version I'm aware of that works for me is 2.8.0, started constantly prompting me for MFA in 2.8.1.
Current Behavior
With 2.8.1 this broke and now I'm prompted for MFA on every gimme-aws-creds call.
#457 included this change. #458 tried loosening the restrictrion of not using device tokens with OIE domains, but it still doesn't work for me.
Possible Solution
Just don't hard-code disabling the device token functionality, allow forcing it with a setting (just like forcing classic), because I'm using OIE and device tokens still work for me as not all organizations use step-up authentication, especially if they've recently upgraded from classic to OIE.
Steps to Reproduce (for bugs)
- try running
gimme-aws-creds --force-classic --register-devicewith 2.8.2 - no device token is created
- try running
gimme-aws-creds --force-classic --register-devicewith 2.7.2 - device token still works, and frequency of MFA prompts are reduced for subsequent gimme-aws-creds calls
Context
Before 2.8.1 we didn't have any issues, our org has a policy that doesn't require us to MFA on every single login, we allow remembering devices. This worked just fine with Okta classic, now we moved to Okta Identity Engine and I'm contantly facing MFA promts from gimme-aws-creds.
My workaround for it is to downgrade to a version before 2.8.1, but I'd rather have gimme-aws-creds allow me to force remembering the device token, even when on Okta Identity Engine, because in some configurations that still works.
Your Environment
- App Version used:
- Environment name and version:
- Operating System and version: