Exception when using okta-aws to refresh expired token

popefelix · February 10, 2023, 7:49pm

When I attempt to log into Okta after my session has expired using okta-aws-cli-assume-role I get the following exception:

Exception in thread "main" java.lang.ExceptionInInitializerError
        at com.okta.tools.OktaAwsConfig.runProgram(OktaAwsConfig.java:91)
        at com.okta.tools.OktaAwsConfig.lambda$deferProgram$2(OktaAwsConfig.java:86)
        at com.okta.tools.authentication.OktaAuthentication.getPassword(OktaAuthentication.java:169)
        at com.okta.tools.authentication.OktaAuthentication.getPrimaryAuthResponse(OktaAuthentication.java:127)
        at com.okta.tools.authentication.OktaAuthentication.getOktaSessionToken(OktaAuthentication.java:51)
        at com.okta.tools.saml.OktaSaml.getSamlResponse(OktaSaml.java:47)
        at com.okta.tools.OktaAwsCliAssumeRole.doRequest(OktaAwsCliAssumeRole.java:132)
        at com.okta.tools.OktaAwsCliAssumeRole.run(OktaAwsCliAssumeRole.java:102)
        at com.okta.tools.WithOkta.main(WithOkta.java:28)
Caused by: java.lang.StringIndexOutOfBoundsException: Range [0, 3) out of bounds for length 2
        at java.base/jdk.internal.util.Preconditions$1.apply(Preconditions.java:55)
        at java.base/jdk.internal.util.Preconditions$1.apply(Preconditions.java:52)
        at java.base/jdk.internal.util.Preconditions$4.apply(Preconditions.java:213)
        at java.base/jdk.internal.util.Preconditions$4.apply(Preconditions.java:210)
        at java.base/jdk.internal.util.Preconditions.outOfBounds(Preconditions.java:98)
        at java.base/jdk.internal.util.Preconditions.outOfBoundsCheckFromToIndex(Preconditions.java:112)
        at java.base/jdk.internal.util.Preconditions.checkFromToIndex(Preconditions.java:349)
        at java.base/java.lang.String.checkBoundsBeginEnd(String.java:4602)
        at java.base/java.lang.String.substring(String.java:2715)
        at org.apache.commons.lang.SystemUtils.getJavaVersionAsFloat(SystemUtils.java:1133)
        at org.apache.commons.lang.SystemUtils.<clinit>(SystemUtils.java:818)
        ... 9 more

However, I am able log in using v1.0.2 of this package (although it’s worth noting that it may have been customized for my organization; I’m not sure).

popefelix · February 10, 2023, 7:51pm

~/.okta/config.properties:

#
# Copyright 2017 Okta
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#

#
# ENGINEERING NOTE: This file should live in ~/.okta/config.properties
#
#OktaAWSCLI
OKTA_ORG=cbsi.okta.com
OKTA_AWS_APP_URL=https://cbsi.okta.com/home/amazon_aws/REDACTED
OKTA_USERNAME=myUsername
OKTA_PASSWORD_CMD=security find-generic-password -a myUsername -s okta-aws-cli -w
OKTA_BROWSER_AUTH=false
OKTA_ENV_MODE=false
OKTA_AWS_ROLE_TO_ASSUME=arn:aws:iam::123456789012:role/REDACTED
OKTA_MFA_CHOICE=OKTA.push
#OKTA_MFA_CHOICE=token
OKTA_AWS_REGION=us-east-1
OKTA_STS_DURATION=43200