search

aws / aws-cli

Universal Command Line Interface for Amazon Web Services
Other
15.09k stars 4.01k forks source link

`aws sso login` hangs when users cancels in the browser #8762

Closed Farmbuyer closed 1 week ago

Farmbuyer commented 1 week ago

Describe the bug

When aws sso login runs it opens a backchannel to AWS while the user is doing "browser stuff" in the foreground. (By default it's the automatically spawned program in $BROWSER, but there are lots of variations with the --no-browser flag, etc etc.) If the user goes through the usual authentication steps in the browser, Magic Happens[tm] on the AWS side and the SSO session tokens are sent down the backchannel to the blocked aws sso login process, which then unblocks and reports success, stores the token into .aws/sso/cache/[SHA-1 of session name].json, and so forth.

However, if the user clicks "cancel" in the browser anywhere other than the password prompt, the browser correctly kills the entire attempt (for example, the "ABCD-EFGH " user code generated for the initial request URL is marked as invalid for subsequent retries), but nothing is ever sent down the backchannel to tell the CLI to stop waiting. There is no -- as far as I can tell from some brief experimenting -- no way to un-cancel and resume the authentication process in the browser, which makes total sense. But in that situation, there's also no reason for the CLI to keep waiting, since a successful session token will never arrive.

[edit: forgot to add, if the user clicks cancel at the password prompt, the browser page goes back to asking for the username in case they typo'd, so that's not an "authoritative kill the attempt" scenario.]

Expected Behavior

It'd be nice if the aws sso login unblocked and exited with a nonzero status, presumably with some generic error message.

Current Behavior

The CLI blocks until either interrupted with Ctrl+C, or the outermost SSO login timeout is reached (when it exits with An error occurred (InvalidGrantException) when calling the CreateToken operation: and no further text even though the colon implies more is coming, heh).

Reproduction Steps

Possible Solution

I looked around in the aws-cli source tree to see whether I would understand the relevant code on the client end. I can't even find where the sso login subcommand is being handled; if a recursive grep can't find it then I'll stop poking. :-)

Additional Information/Context

I realize that the CLI cannot require a response coming down the backchannel in every possible situation, because that's a whole 'nother attack vector for security shenanigans. But given that a user can legitimately cancel a login attempt in the browser, authoritatively ending the attempt, it seems reasonable to expect that something could be sent back down to the CLI to tell it to stop hoping.

CLI version used

aws-cli/2.17.0 Python/3.11.8

Environment details (OS name and version, etc.)

Windows 10 Enterprise, Ubuntu 22.04

tim-finnigan commented 1 week ago

Thanks for reaching out. I could reproduce the behavior you described. The SSO/Identity Center service is not returning an error (like AccessDeniedException) for the CLI client to handle here, so unfortunately the CLI cannot automatically cancel the process in the terminal. So just pressing Ctrl+C is the best available solution here.

We've received somewhat similar issues in the past like https://github.com/aws/aws-cli/issues/6212 about the SSO login command hanging, but in those cases it seems like the --no-browser parameter or local configurations resolve the issue. In this case I don’t think running aws sso login and then choosing to cancel in the browser is a common problem.

github-actions[bot] commented 1 week ago

This issue is now closed. Comments on closed issues are hard for our team to see. If you need more assistance, please open a new issue that references this one.