Edit: see #153 (comment)

We'll add these notes to the README as well:

If you are seeing Error: fetching SSO web token received API response "400 Bad Request", error: "invalid_grant", description: "The application's assurance requirements are not met by the 'subject_token'." then try these remedies:

Check if the AWS Fed App policy is set to device: registered, or device: managed

Check if the the AWS Fed App policy re-auth is set for 'every attempt'

'every attempt' is hit and miss, much like if you login to the Okta dashboard and hit the admin button immediately you get right in, but if you wait 5 seconds might get prompted for MFA again depending on policies. Customers run into this off and on not knowing the reason. When they modified the AWS Fed App policy to be Re-authenticate after: 2 minutes they never saw this issue again. You can mimic this by setting the policy for AWS fed app to re-auth 'every attempt'. Then in the okta-aws-cli introduce a 5 second sleep before the web sso token exchange and you will see this error even if you don't usually see it when re-auth 'every attempt' is set.