Add the OAuth Authorization Code Flow with PKCE

This adds support for the OAuth2.0 authorization code flow with PKCE to the aws sso login command. It is the new default behavior, but users can fall back to the device code flow using the new --use-device-code option.
aws · Nov 15, 2024 · e0ee9eb · e0ee9eb
1 parent ad791c0
commit e0ee9eb
Show file tree

Hide file tree

Showing 9 changed files with 1,150 additions and 87 deletions.
diff --git a/.changes/next-release/feature-sso-81096.json b/.changes/next-release/feature-sso-81096.json
@@ -0,0 +1,5 @@
+{
+  "type": "feature",
+  "category": "``sso``",
+  "description": "Add support and default to the OAuth 2.0 Authorization Code Flow with PKCE for ``aws sso login``."
+}
diff --git a/awscli/botocore/exceptions.py b/awscli/botocore/exceptions.py
@@ -674,14 +674,18 @@ class SSOError(BotoCoreError):
 class PendingAuthorizationExpiredError(SSOError):
     fmt = (
         "The pending authorization to retrieve an SSO token has expired. The "
-        "device authorization flow to retrieve an SSO token must be restarted."
+        "login flow to retrieve an SSO token must be restarted."
     )
 
 
 class SSOTokenLoadError(SSOError):
     fmt = "Error loading SSO Token: {error_msg}"
 
 
+class AuthorizationCodeLoadError(SSOError):
+    fmt = "Error loading authorization code: {error_msg}"
+
+
 class UnauthorizedSSOTokenError(SSOError):
     fmt = (
         "The SSO session associated with this profile has expired or is "
@@ -690,6 +694,14 @@ class UnauthorizedSSOTokenError(SSOError):
     )
 
 
+class AuthCodeFetcherError(SSOError):
+    fmt = (
+        "Unable to initialize the OAuth 2.0 authorization callback handler: "
+        "{error_msg} \n You may use --use-device-code to fall back to the "
+        "device code flow which does not require the callback handler."
+    )
+
+
 class CapacityNotAvailableError(BotoCoreError):
     fmt = (
         'Insufficient request capacity available.'