aws sso login hangs when users cancels in the browser

[Farmbuyer]

Describe the bug

When aws sso login runs it opens a backchannel to AWS while the user is doing "browser stuff" in the foreground. (By default it's the automatically spawned program in $BROWSER, but there are lots of variations with the --no-browser flag, etc etc.) If the user goes through the usual authentication steps in the browser, Magic Happens[tm] on the AWS side and the SSO session tokens are sent down the backchannel to the blocked aws sso login process, which then unblocks and reports success, stores the token into .aws/sso/cache/[SHA-1 of session name].json, and so forth.

However, if the user clicks "cancel" in the browser anywhere other than the password prompt, the browser correctly kills the entire attempt (for example, the "ABCD-EFGH " user code generated for the initial request URL is marked as invalid for subsequent retries), but nothing is ever sent down the backchannel to tell the CLI to stop waiting. There is no -- as far as I can tell from some brief experimenting -- no way to un-cancel and resume the authentication process in the browser, which makes total sense. But in that situation, there's also no reason for the CLI to keep waiting, since a successful session token will never arrive.

[edit: forgot to add, if the user clicks cancel at the password prompt, the browser page goes back to asking for the username in case they typo'd, so that's not an "authoritative kill the attempt" scenario.]

Expected Behavior

It'd be nice if the aws sso login unblocked and exited with a nonzero status, presumably with some generic error message.

Current Behavior

The CLI blocks until either interrupted with Ctrl+C, or the outermost SSO login timeout is reached (when it exits with An error occurred (InvalidGrantException) when calling the CreateToken operation: and no further text even though the colon implies more is coming, heh).

Reproduction Steps

• aws sso login specifying a profile as needed
• In the browser, click Cancel at various points. For example, after entering username/password/MFA, when prompted whether to allow or deny the specific account credentials, choose Deny. Or you can click Cancel right at the start when asked to confirm the ABCD-EFGH user code, etc.
• Gaze in disappointment as the CLI continues to wait.
• Either interrupt with Ctrl+C, or go make a sandwich while the timeout ticks down.

Possible Solution

I looked around in the aws-cli source tree to see whether I would understand the relevant code on the client end. I can't even find where the sso login subcommand is being handled; if a recursive grep can't find it then I'll stop poking. :-)

Additional Information/Context

I realize that the CLI cannot require a response coming down the backchannel in every possible situation, because that's a whole 'nother attack vector for security shenanigans. But given that a user can legitimately cancel a login attempt in the browser, authoritatively ending the attempt, it seems reasonable to expect that something could be sent back down to the CLI to tell it to stop hoping.

CLI version used

aws-cli/2.17.0 Python/3.11.8

Environment details (OS name and version, etc.)

Windows 10 Enterprise, Ubuntu 22.04

[tim-finnigan]

Thanks for reaching out. I could reproduce the behavior you described. The SSO/Identity Center service is not returning an error (like AccessDeniedException) for the CLI client to handle here, so unfortunately the CLI cannot automatically cancel the process in the terminal. So just pressing Ctrl+C is the best available solution here.

We've received somewhat similar issues in the past like #6212 about the SSO login command hanging, but in those cases it seems like the --no-browser parameter or local configurations resolve the issue. In this case I don’t think running aws sso login and then choosing to cancel in the browser is a common problem.

[github-actions]

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.