Add the OAuth Authorization Code Flow with PKCE

This adds support for the OAuth2.0 authorization code flow with PKCE to the aws sso login command. It is the new default behavior, but users can fall back to the device code flow using the new --use-device-code option.
aws · Sep 26, 2024 · 3cafdec · 3cafdec
1 parent 41ee0a9
commit 3cafdec
Show file tree

Hide file tree

Showing 9 changed files with 952 additions and 88 deletions.
diff --git a/.changes/next-release/feature-sso-81096.json b/.changes/next-release/feature-sso-81096.json
@@ -0,0 +1,5 @@
+{
+  "type": "feature",
+  "category": "sso",
+  "description": "Add support and default to the OAuth 2.0 Authorization Code Flow with PKCE for aws sso login."
+}
diff --git a/awscli/botocore/exceptions.py b/awscli/botocore/exceptions.py
@@ -682,6 +682,10 @@ class SSOTokenLoadError(SSOError):
     fmt = "Error loading SSO Token: {error_msg}"
 
 
+class AuthorizationCodeLoadError(SSOError):
+    fmt = "Error loading authorization code: {error_msg}"
+
+
 class UnauthorizedSSOTokenError(SSOError):
     fmt = (
         "The SSO session associated with this profile has expired or is "
@@ -690,6 +694,14 @@ class UnauthorizedSSOTokenError(SSOError):
     )
 
 
+class AuthCodeFetcherError(SSOError):
+    fmt = (
+        "Unable to initialize the OAuth 2.0 authorization callback handler: "
+        "{error_msg} \n You may use --use-device-code to fall back to the "
+        "device code flow which does not require the callback handler."
+    )
+
+
 class CapacityNotAvailableError(BotoCoreError):
     fmt = (
         'Insufficient request capacity available.'