Server error when loading Okta AWS App: 500 when using Yubikey

[ecliptik]

Describe the bug

Authenticating to AWS using a Yubikey as MFA gives a 500.

YUBICO Token Factor Authentication
Enter 'change factor' to use a different factor
Token: 
cccccckevucldnfvcdhklgjrrcgehldhdrydjbtfutul
Exception in thread "main" java.lang.IllegalStateException: Server error when loading Okta AWS App: 500
	at com.okta.tools.saml.OktaAppClientImpl.launchApp(OktaAppClientImpl.java:48)
	at com.okta.tools.saml.OktaSaml.launchOktaAwsAppWithSessionToken(OktaSaml.java:115)
	at com.okta.tools.saml.OktaSaml.getSamlResponseForAws(OktaSaml.java:54)
	at com.okta.tools.saml.OktaSaml.getSamlResponse(OktaSaml.java:48)
	at com.okta.tools.OktaAwsCliAssumeRole.doRequest(OktaAwsCliAssumeRole.java:132)
	at com.okta.tools.OktaAwsCliAssumeRole.run(OktaAwsCliAssumeRole.java:102)
	at com.okta.tools.WithOkta.main(WithOkta.java:28)

This was working for the last few years up until 10/13/2023 and is affecting all users in our organization that use Yubikey as MFA for Okta.

To Reproduce

Steps to reproduce the behavior:

1. Setup Yubikey as MFA by setting OKTA_MFA_CHOICE=YUBICO.token:hardware in ~/.okta/config.properties
2. Authenticate with username and password
3. Touch Yubikey when prompted
4. Get error

Expected behavior

Use Yubikey as MFA.

Additional context

• Authentication using a Yubikey still works when using the Okta SSO for AWS via a webpage.
• Switching to a different MFA like OKTA_MFA_CHOICE=OKTA.push works.
• Building the latest source from git to create okta-aws-cli-3.0.1-SNAPSHOT.jar gives the same error.
• Removing ~/.okta/cookies.properties does not change anything.

contents of ~/.okta/config.properties:

OKTA_ORG=example.okta.com
OKTA_AWS_APP_URL=https://example.okta.com/home/amazon_aws/$TOKEN/473
[email protected]
OKTA_MFA_CHOICE=YUBICO.token:hardware
OKTA_STS_DURATION=14400