Okta Auth Backend does not include X-Forwarded-For header in MFA request

[rbhitchcock]

Describe the bug
When authenticating with the Okta auth backend against a remote Vault server, the Okta Verify request from Okta reports the authentication location based on the IP of the server running the Vault server rather than the IP of the client making the authentication request. This is due to the x-forwarded-for header not being sent to Okta when initiating the MFA request even when the auth backend is tuned to pass through the x-forwarded-for header.

According to the Okta Developer docs, the authenticating application should include the x-forwarded-for header in order to accurately determine authentication location.

To Reproduce
Steps to reproduce the behavior on the client:

1. vault auth enable okta
2. vault write auth/okta/config base_url="okta.com" org_name="oktaorg" api_token="123"
3. vault write sys/auth/okta/tune passthrough_request_headers=x-forwarded-for
4. vault login -method=okta # wait for MFA

Expected behavior
When I receive the Okta Verify request, I expect that the location will be that of the IP where I am using the Vault client or making the curl request, and not that of the server where Vault is running.

Environment:

• Vault Server Version (retrieve with vault status): 1.7.3
• Vault CLI Version (retrieve with vault version): Vault v1.5.0 ('9fcd81405feb320390b9d71e15a691c3bc1daeef+CHANGES')
• Server Operating System/Architecture: macOS client, Amazon Linux server

Vault server configuration file(s):

listener "tcp" {
  x_forwarded_for_authorized_addrs = "10.10.10.0/8"
}