How to get web_sso_token when grant_type is password

Hello.
I am currently trying to build my own command line tool using Okta’s API.
Eventually, I would like to use Amazon STS’s assetRoleWith in AWS to get temporary credentials.

Now,
/oauth2/v1/token with grant_type as password, perform authentication with user_name and password, pay out access_token and id_token,
I am trying to perform a token exchange by setting the grant_type to urn:ietf:params:oauth:grant-type:token-exchange in /oauth2/v1/token,
I get the following error.

{
   “error": ‘invalid_grant’,.
   “error_description": ‘The ’actor_token‘ must have the ’okta.apps.sso‘ scope to request a ’web_sso_token'.”
}

Now, in the first /oauth2/v1/token, where the actor_token, or access_token, is being paid out, if okta.apps.sso is specified as the scope,
The following error occurs.

{
    “error": ‘invalid_scope’, ‘error_description’: ‘invalid_scope’, ‘error_description’: ”error_description
    “error_description": ”The following scopes are not allowed for this request: [okta.apps.sso].”
}

Is this error a hard limit for the API?

Best regards.

As of right now, we only support use of web_sso_token by our own AWS CLI and not for custom integrations.

Andrea Thank you for your response.
I was referring to the AWS CLI.

Is there any plan to release the use of web_sso_token in custom integrations in the future?

Sorry for the rudimentary question,
At this time, we are using the API or SDK to perform authentication,
Is it possible to obtain a token similar to web_sso_token?
Ultimately, we would like to eventually use Amazon STS AssumeRoleWithSAML to obtain temporary credentials.

Best regards.

I’m not really aware of another way to achieve this short of using our AWS CLI and haven’t heard any plans or ETAs to allow use of web_sso_tokens for custom integrations.

Thanks for the answer.
We are having difficulty using aws-cli as it is, so we are using the API to build our own.