Adds ability to use the Org AS with Direct Auth

README.md

@@ -321,7 +321,7 @@ note the ARNs of these roles for later use.
 
 ## Direct Command
 
-**NOTE**: The `direct` command only operates with an Okta OIDC app, not the
+**NOTE**: The `direct` command only operates with an Okta OIDC app, not with the
 Okta AWS Federation app.
 
 ```shell
@@ -400,7 +400,6 @@ Direct is an integration of:
 
 - Otka's [Direct Authorization](https://developer.okta.com/docs/guides/configure-direct-auth-grants/dmfaoobov/main/), and out-of-bounds MFA flow
 - [Okta API service app](https://developer.okta.com/docs/guides/implement-oauth-for-okta-serviceapp/main/)
-- Okta [custom](https://developer.okta.com/docs/guides/customize-authz-server/main/) authorization server
 - [Okta access policy](https://developer.okta.com/docs/guides/configure-access-policy/main/) associated with the service app and have rule(s) for the client credentials flow
 - [AWS IAM OpenID Connect (OIDC) identity provider](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html)
 
@@ -575,7 +574,7 @@ These settings are optional unless marked otherwise:
 |-----|-----|-----|-----|
 | Username (**required**) | The username of the operator | `--username [value]` | `OKTA_AWSCLI_USERNAME` |
 | Password (**required**) | The password of the operator | `--password [value]` | `OKTA_AWSCLI_PASSWORD` |
-| Authorization Server ID | The ID of the Okta authorization server, set ID for a custom authorization server, will use default otherwise. Default `default` | `--authz-id [value]` | `OKTA_AWSCLI_AUTHZ_ID` |
+| Authorization Server ID | The ID of the Okta authorization server, set ID for a custom authorization server, will use Org authorization server otherwise. Default Org AS | `--authz-id [value]` | `OKTA_AWSCLI_AUTHZ_ID` |
 | Custom STS Role Session Name | Customize STS Role Session Name. Default `okta-aws-cli` | `--aws-sts-role-session-name [value]` | `OKTA_AWSCLI_STS_ROLE_SESSION_NAME` |
 
 ### Friendly IdP and Role menu labels

internal/directauth/directauth.go

@@ -47,10 +47,6 @@ type DirectAuthentication struct {
 // NewDirectAuthentication New Direct Authentication constructor
 func NewDirectAuthentication(cfg *config.Config) (*DirectAuthentication, error) {
 	// need to set our config defaults
-	if cfg.AuthzID() == "" {
-		_ = cfg.SetAuthzID(utils.DefaultAuthzID)
-	}
-
 	// Check if exec arg is present and that there are args for it before doing any work
 	if cfg.Exec() {
 		if _, err := exec.NewExec(cfg); err != nil {
@@ -116,7 +112,12 @@ func (da *DirectAuthentication) EstablishIAMCredentials() error {
 // https://developer.okta.com/docs/guides/configure-direct-auth-grants/dmfaoobov/main/#challenge-request
 func (da *DirectAuthentication) challengeAndPollForAT(mfaToken *okta.MFAToken) (at *okta.AccessToken, err error) {
 	clientID := da.config.OIDCAppID()
-	challengeURL := fmt.Sprintf(okta.CustomAuthzV1ChallengeEndpointFormat, da.config.OrgDomain(), da.config.AuthzID())
+        var challengeURL string
+        if da.config.AuthzID() == "" {
+            challengeURL = fmt.Sprintf(okta.OAuthV1ChallengeEndpointFormat, da.config.OrgDomain())
+        } else {
+            challengeURL = fmt.Sprintf(okta.CustomAuthzV1ChallengeEndpointFormat, da.config.OrgDomain(), da.config.AuthzID())
+        }
 	data := url.Values{
 		"client_id":                 {clientID},
 		"mfa_token":                 {mfaToken.Token},
@@ -157,7 +158,12 @@ func (da *DirectAuthentication) challengeAndPollForAT(mfaToken *okta.MFAToken) (
 	// Keep polling if Status Code is 400 and apiError.Error ==
 	// "authorization_pending". Done if status code is 200. Else error.
 	poll := func() error {
-		requestTokenURL := fmt.Sprintf(okta.CustomAuthzV1TokenEndpointFormat, da.config.OrgDomain(), da.config.AuthzID())
+                var requestTokenURL string
+                if da.config.AuthzID() == "" {
+                    requestTokenURL = fmt.Sprintf(okta.OAuthV1TokenEndpointFormat, da.config.OrgDomain())
+                } else {
+                    requestTokenURL = fmt.Sprintf(okta.CustomAuthzV1TokenEndpointFormat, da.config.OrgDomain(), da.config.AuthzID())
+                }
 		data := url.Values{
 			"client_id":  {clientID},
 			"scope":      {"openid profile"},
@@ -223,7 +229,12 @@ func (da *DirectAuthentication) requestMFAToken() (*okta.MFAToken, error) {
 	clientID := da.config.OIDCAppID()
 	username := da.config.Username()
 	password := da.config.Password()
-	requestTokenURL := fmt.Sprintf(okta.CustomAuthzV1TokenEndpointFormat, da.config.OrgDomain(), da.config.AuthzID())
+        var requestTokenURL string
+                if da.config.AuthzID() == "" {
+                    requestTokenURL = fmt.Sprintf(okta.OAuthV1TokenEndpointFormat, da.config.OrgDomain())
+                } else {
+                    requestTokenURL = fmt.Sprintf(okta.CustomAuthzV1TokenEndpointFormat, da.config.OrgDomain(), da.config.AuthzID())
+                }
 	data := url.Values{
 		"client_id":  {clientID},
 		"grant_type": {"password"},

internal/okta/okta.go

@@ -25,4 +25,7 @@ const (
 
 	// CustomAuthzV1ChallengeEndpointFormat sprintf format string for custom oauth server token endpoint
 	CustomAuthzV1ChallengeEndpointFormat = "https://%s/oauth2/%s/v1/challenge"
+
+        // OAuthV1ChallengeEndpointFormat sprintf format string for base oauth server token endpoint
+        OAuthV1ChallengeEndpointFormat = "https://%s/oauth2/v1/challenge"
 )