[Python 3.13] Okta Identity Engine: «requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url»

[yermulnik]

I've upgraded our Okta Preview tenant from Classic to OIE and am trying to re-configure gimme-aws-creds to use Device Authorization Flow instead of Classic but to no success =(

The Classic flow works w/o issues, the okta-aws-cli works too.

I ran gimme-aws-creds --profile OKTA_PREVIEW --action-configure, filled in all the details (effectively the diff with Classic flow is the force_classic = False + client_id = <oidc app client id>), but it fails with requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: … 😢

Appreciate any assistance and hints.

> gimme-aws-creds --profile OKTA_PREVIEW --action-list-roles
Traceback (most recent call last):
  File "/home/linuxbrew/.linuxbrew/bin/gimme-aws-creds", line 17, in <module>
    GimmeAWSCreds().run()
    ~~~~~~~~~~~~~~~~~~~^^
  File "/home/linuxbrew/.linuxbrew/Cellar/gimme-aws-creds/2.8.2_5/libexec/lib/python3.13/site-packages/gimme_aws_creds/main.py", line 454, in run
    self._run()
    ~~~~~~~~~^^
  File "/home/linuxbrew/.linuxbrew/Cellar/gimme-aws-creds/2.8.2_5/libexec/lib/python3.13/site-packages/gimme_aws_creds/main.py", line 873, in _run
    self.handle_action_list_roles()
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^
  File "/home/linuxbrew/.linuxbrew/Cellar/gimme-aws-creds/2.8.2_5/libexec/lib/python3.13/site-packages/gimme_aws_creds/main.py", line 972, in handle_action_list_roles
    raise errors.GimmeAWSCredsExitSuccess(result='\n'.join(map(str, self.aws_roles)))
                                                                    ^^^^^^^^^^^^^^
  File "/home/linuxbrew/.linuxbrew/Cellar/gimme-aws-creds/2.8.2_5/libexec/lib/python3.13/site-packages/gimme_aws_creds/main.py", line 719, in aws_roles
    self.saml_data['SAMLResponse'],
    ^^^^^^^^^^^^^^
  File "/home/linuxbrew/.linuxbrew/Cellar/gimme-aws-creds/2.8.2_5/libexec/lib/python3.13/site-packages/gimme_aws_creds/main.py", line 710, in saml_data
    self._cache['saml_data'] = saml_data = self.okta.get_saml_response(self.aws_app['links']['appLink'], self.auth_session)
                                                                       ^^^^^^^^^^^^
  File "/home/linuxbrew/.linuxbrew/Cellar/gimme-aws-creds/2.8.2_5/libexec/lib/python3.13/site-packages/gimme_aws_creds/main.py", line 703, in aws_app
    self._cache['aws_app'] = aws_app = self._get_selected_app(self.conf_dict.get('aws_appname'), self.aws_results)
                                                                                                 ^^^^^^^^^^^^^^^^
  File "/home/linuxbrew/.linuxbrew/Cellar/gimme-aws-creds/2.8.2_5/libexec/lib/python3.13/site-packages/gimme_aws_creds/main.py", line 649, in aws_results
    self.auth_session
  File "/home/linuxbrew/.linuxbrew/Cellar/gimme-aws-creds/2.8.2_5/libexec/lib/python3.13/site-packages/gimme_aws_creds/main.py", line 630, in auth_session
    auth_result = self.okta.auth_session(redirect_uri=self.conf_dict.get('app_url'), open_browser=open_browser)
  File "/home/linuxbrew/.linuxbrew/Cellar/gimme-aws-creds/2.8.2_5/libexec/lib/python3.13/site-packages/gimme_aws_creds/okta_identity_engine.py", line 67, in auth_session
    login_response = self._start_device_flow()
  File "/home/linuxbrew/.linuxbrew/Cellar/gimme-aws-creds/2.8.2_5/libexec/lib/python3.13/site-packages/gimme_aws_creds/okta_identity_engine.py", line 117, in _start_device_flow
    response.raise_for_status()
    ~~~~~~~~~~~~~~~~~~~~~~~~~^^
  File "/home/linuxbrew/.linuxbrew/Cellar/gimme-aws-creds/2.8.2_5/libexec/lib/python3.13/site-packages/requests/models.py", line 1024, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: https://[…].oktapreview.com/oauth2/v1/device/authorize

Simply flipping value of force_classic to True in config magically makes it work (but through the Classic flow obviously):

> gimme-aws-creds --profile OKTA_PREVIEW --action-list-roles
Using inherited config: DEFAULT
Okta Classic login flow enabled
Okta Password for georgii.iermulnik@[…].com:
Multi-factor Authentication required.
token:software:totp( GOOGLE ) selected : georgii.iermulnik@[…].com
Enter verification code:
RoleSet(idp='arn:aws:iam::[…]:saml-provider/okta-saml-idp-okta-preview', role='arn:aws:iam::[…]:role/okta-saml-idp-okta-preview', friendly_account_name='SingleAccountName', friendly_role_name='SingleRole')

[yermulnik]

Just in case:

• The app_url value in ~/.okta_aws_login_config has URL of AWS Federation Okta app
• The client_id value is the Client ID of the OIDC Native Okta app, which is set as Allowed Web SSO Client in the AWS Federation app
• Both Apps configured according to https://github.com/Nike-Inc/gimme-aws-creds#okta-identity-engine-and-device-authorization-flow

[yermulnik]

I updated okta_identity_engine.py to print raw response_data and it's this:

{'errorCode': 'invalid_client', 'errorSummary': "Invalid value for 'client_id' parameter.", 'errorLink': 'invalid_client', 'errorId': 'oae4pUwJox2SpmQctpVYPR3PQ', 'errorCauses': []}

I double checked client_id (and also debug-printed it) and it's correct 😕

[yermulnik]

I seem to get to some point digging into this: the same code works for me using Python 3.10, but fails with Python 3.13 (which is the Python version that gimme-aws-creds is shipped with using Homebrew) 😕

import requests

data = {
    "client_id": "0[…]7",
    "scope": "openid okta.apps.sso"
}
url = "https://[…].oktapreview.com/oauth2/v1/device/authorize"
headers = {'User-Agent': 'gimme-aws-creds 2.8.2;linux;3.13.2', 'Accept': 'application/json'}

response = requests.post(url, data=data, headers=headers, verify=True)

print(response.text)

Python 3.10

> ~/tmp/zzz.py
{"device_code":"0[…]e","user_code":"P[…]X","verification_uri":"https://[…].oktapreview.com/activate","verification_uri_complete":"https://[…].oktapreview.com/activate?user_code=P[…]X","expires_in":600,"interval":5}

Python 3.13

> ~/tmp/zzz.py
{"errorCode":"invalid_client","errorSummary":"Invalid value for 'client_id' parameter.","errorLink":"invalid_client","errorId":"oaefXTVj98tTvSQVMLwD1iSDg","errorCauses":[]}

[yermulnik]

Added debug output and with Py3.13 there's somehow a trailing Authorization: Basic Og==\r\n bit in the request 😲
Python 3.13

> ~/tmp/zzz.py 2>&1 | egrep -m 1 "^send: "
send: b'POST /oauth2/v1/device/authorize HTTP/1.1\r\nHost: […].oktapreview.com\r\nUser-Agent: gimme-aws-creds 2.8.2;linux;3.13.2\r\nAccept-Encoding: gzip, deflate\r\nAccept: application/json\r\nConnection: keep-alive\r\nContent-Length: 57\r\nContent-Type: application/x-www-form-urlencoded\r\nAuthorization: Basic Og==\r\n\r\n'

Python 3.10

> ~/tmp/zzz.py 2>&1 | egrep -m 1 "^send: "
send: b'POST /oauth2/v1/device/authorize HTTP/1.1\r\nHost: […].oktapreview.com\r\nUser-Agent: gimme-aws-creds 2.8.2;linux;3.13.2\r\nAccept-Encoding: gzip, deflate, br\r\nAccept: application/json\r\nConnection: keep-alive\r\nContent-Length: 57\r\nContent-Type: application/x-www-form-urlencoded\r\n\r\n'

[yermulnik]

So it's Python 3.13, requests, and ~/.netrc who are the cause of the issue 😕

[yermulnik]

While this isn't fixed at requests side, the options are:

• Remove ~/.netrc file altogether — breaks other stuff in my case
  • Remove host section from ~/.netrc that covers target Okta host — breaks other stuff in my case
• Export NETRC Env var with an empty value before running gimme-aws-creds (export NETRC="")
  • Implement the same in Python code if gimme-aws-creds is used as Python lib: os.environ['NETRC'] = ''
• Downgrade to any version of Python before 3.13