Sending wrong actor_token when switching okta domain fastly.

[DingGGu]

Hi there,

I am using okta-aws-cli to configure terraform and aws cli, command to receive AWS Credentials.

Example command for login aws-cli:

$ okta-aws-cli web  --org-domain "a.okta.com" --oidc-client-id "??" -- aws-acct-fed-app-id "??" --aws-iam-idp "??" --open-browser
$ okta-aws-cli web  --org-domain "b.okta.com" --oidc-client-id "??" -- aws-acct-fed-app-id "??" --aws-iam-idp "??" --open-browser

When login multiple times quickly, and if the org-domain is different, an error occurs that the subject_token is Invalid.

So I checked it using the okta-aws-cli -d -g web option,

At the POST /oauth2/v1/token step, I was able to confirm that the iss value and aud value of the jwt token in the actor_token parameter are the previous domain.

It seems that the actor_token is cached somewhere.

Expected behavior:
okta-aws-cli web should work

iss and aud values:
attempt1) a.okta.com
attempt2) b.okta.com

Current status:

Error: Okta API returned an error: 'subject_token' is invalid.
An error occurred

iss and aud values:
attempt1) a.okta.com
attempt2) a.okta.com

[DingGGu]

Find out solutions:

Delete file a ~/.okta/awscli-access-token.json

okta-aws-cli option:
Cache Okta access token at $HOME/.okta/awscli-access-token.json to reduce need to open device authorization URL

Need to improvement for caching access token by each okta domain.