Enhancement request: Support Device MFA enforcement on AWS Federation while maintaining CI/CLI automation #299
Description
Current CI Workflow & Issue
The customer is using the okta-aws-cli Native OIDC app alongside an AWS Account Federation (SAML) app.
Current State: When the authentication policy is set to "Any two factors," the CLI workflow functions correctly, but the browser-based AWS Federation login does not enforce strict Device MFA (Okta Verify), which is a security requirement.
The Conflict: If they apply a stricter custom policy to enforce Device MFA on the AWS Federation app, the browser login works as intended (prompts for Okta Verify). However, the CLI token exchange fails with the following error because the subject_token cannot satisfy the stricter policy during the exchange:
Error: Okta API returned an error: The application's assurance requirements are not met by the 'subject_token'
Desired Workflow
The customer requires a supported pattern or feature enhancement that allows them to:
Enforce strict Device MFA (Okta Verify) on the AWS Account Federation login for interactive browser sessions.
Simultaneously allow CI/CLI workflows to successfully perform the token exchange without failing due to "assurance requirements not met" and without requiring manual MFA intervention for every automated run.
Business Impact / Efficiency
This enhancement is critical for balancing security compliance with operational efficiency. It would allow the customer to meet their device trust security mandates without breaking their DevOps automation.