Java opens console instead of reverting to shell

[CyberViking949]

i have several users, and rarely myself, that are not having tokens generated. instead the java browser opens an aws console

[lplustig]

hi, we are experiencing the same issue as well. please advise. users who had it setup work before work fine, but new users are not working. i've tested this on my local by renaming my .okta dir to .okta.bak and i get the same aws console pop up window instead of selecting it from the terminal. furthermore, when i move back the .okta.bak folder to .okta, everything works fine. checking the cookie.properties, i do see a couple of new parameters in there on the new install: aws-ubid-main and __cfduid that are not present in my old cookies.properties files. thank you.

[jeremyplichtafc]

I was experiencing this today as well. above PR fixes for me locally. I should clarify, I run this with OKTA_BROWSER_AUTH=true because our org needs browser auth to authenticate to okta. For me though after authentication the javafx browser was remaining open and showing the AWS console. With the PR, after authenticating the javafx window closes and you are again prompted to choose the role you want on the CLI.

[hb3b]

Seeing all the roles in the browser pop-up.

Java(TM) SE Runtime Environment (build 12.0.1+12)
Java HotSpot(TM) 64-Bit Server VM (build 12.0.1+12, mixed mode, sharing)

Disabling the browser setting immediately after renders the menu correctly however choosing an option errors out

WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by com.amazonaws.util.XpathUtils (file:/Users/ben.hecht/.okta/okta-aws-cli-2.0.2.jar) to constructor com.sun.org.apache.xpath.internal.XPathContext()
WARNING: Please consider reporting this to the maintainers of com.amazonaws.util.XpathUtils
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
Exception in thread "main" com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: 1 validation error detected: Value null at 'principalArn' failed to satisfy constraint: Member must not be null (Service: AWSSecurityTokenService; Status Code: 400; Error Code: ValidationError; Request ID: c120315e-93ca-11e9-8fa4-b3fbce5432fb)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1712)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1367)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1113)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:770)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:744)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:726)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:686)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:668)
	at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:532)
	at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:512)
	at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.doInvoke(AWSSecurityTokenServiceClient.java:1368)
	at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.invoke(AWSSecurityTokenServiceClient.java:1335)
	at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.invoke(AWSSecurityTokenServiceClient.java:1324)
	at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.executeAssumeRoleWithSAML(AWSSecurityTokenServiceClient.java:658)
	at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.assumeRoleWithSAML(AWSSecurityTokenServiceClient.java:630)
	at com.okta.tools.helpers.RoleHelper.assumeChosenAwsRole(RoleHelper.java:54)
	at com.okta.tools.OktaAwsCliAssumeRole.doRequest(OktaAwsCliAssumeRole.java:135)
	at com.okta.tools.OktaAwsCliAssumeRole.run(OktaAwsCliAssumeRole.java:102)
	at com.okta.tools.WithOkta.main(WithOkta.java:30)

[jeremyplichtafc]

The PR above got merged but is not released yet. Can you try building from master mvn package and taking the resulting jar, putting it in the correct spot in ~/.okta and try again and see if the problem is resolved for you?

[hb3b]

The PR above got merged but is not released yet. Can you try building from master mvn package and taking the resulting jar, putting it in the correct spot in ~/.okta and try again and see if the problem is resolved for you?

Awesome! Thanks for the fix. Confirmed that it works great.

[iandelahorne]

This bit us, causing a lot of headscratching to chase down - can we get a new release built with this fix please?

[jeremyplichtafc]

@mraible or @AlainODea - my company uses Okta pretty heavily and rely on this tool. As long as I'm here and using it (which I anticipate being a while hopefully) I am willing to help maintain it and cut a new release. Does one of you want to give me access to do that and walk me through any guidelines and processes you have?

[AlainODea]

@jeremyplichtafc please don't mention me on issues. See #292

[verstarr]

This bug is really annoying... When is this slated to be released?
Also, re: Can you try building from master mvn package and taking the resulting jar, how can this be done? Sorry for the lack of awareness

[mraible]

@verstarr This is a volunteer-only project, with no Okta developers working on it (unfortunately). You can build a new JAR from master using mvn package.

[CyberViking949]

i built a new jar using mvn, and now it just opens an Okta page, but without the login fields