AWS SSO CLI fallback to device authorization grant doesn't work

ikattur-ota commented 2 days ago

Describe the bug

Running this in a Vagrant box, PKCE-based Authorization for SSO doesn't work as it needs a browser. Following recommendations in the official blog post and docs, I tried using the --use-device-code flag but it doesn't seem to make a difference:

vagrant@ubuntu2204:~$ aws configure sso --profile "AWSAdministratorAccess" --use-device-code
SSO session name (Recommended): my-sso
SSO start URL [None]: https://d-xxx.awsapps.com/start
SSO region [None]: us-east-1
SSO registration scopes [sso:account:access]:
Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:

https://oidc.us-east-1.amazonaws.com/authorize?response_type=code&client_id=xxxx...

Workaround: I had to follow this two-step process, as the --use-device-code flag seems to work for the aws sso login command:

vagrant@ubuntu2204:~$ aws configure sso-session
SSO session name: my-sso
SSO start URL [None]: https://d-xxx.awsapps.com/start
SSO region [None]: us-east-1
SSO registration scopes [sso:account:access]:

Completed configuring SSO session: my-sso
Run the following to login and refresh access token for this session:

aws sso login --sso-session my-sso

vagrant@ubuntu2204:~$ aws sso login --sso-session my-sso --use-device-code
Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:

https://device.sso.us-east-1.amazonaws.com/

Then enter the code:

xxxx-xxxx
Successfully logged into Start URL: https://d-xxx.awsapps.com/start

And then configure an SSO profile:

vagrant@ubuntu2204:~$ aws configure sso --profile "AWSAdministratorAccess"
SSO session name (Recommended): my-sso
There are n AWS accounts available to you.
Using the account ID xxx
There are 2 roles available to you.
Using the role name "AWSAdministratorAccess"
CLI default client Region [None]: us-west-2
CLI default output format [None]: json

To use this profile, specify the profile name using --profile, as shown:

aws s3 ls --profile AWSAdministratorAccess

Regression Issue

[ ] Select this option if this issue appears to be a regression.

Expected Behavior

SSO authorization workflow via OAuth 2.0 device authorization grant to work in the aws configure sso command when --use-device-code option is used.

Current Behavior

See description

Reproduction Steps

See description

Possible Solution

No response

Additional Information/Context

No response

CLI version used

2.22.1

Environment details (OS name and version, etc.)

Linux/5.15.0-91-generic exe/x86_64.ubuntu.22 Python/3.12.6

ashovlin commented 2 days ago

Thanks for the report! This is an issue in the flag's introduction in 2.22.0. https://github.com/aws/aws-cli/pull/9090 addresses it, and is queued up for today's daily release. I'll reply again once the release is finished.

ashovlin commented 2 days ago

This should be addressed in 2.22.2 which was released today.

% aws configure sso --use-device-code
...
Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:

https://device.sso.us-east-1.amazonaws.com/

Then enter the code:
...

Let us know if you're still seeing any issues.

ntang-tmx commented 2 days ago

The behavior changed from the original cli. --no-browser option should give the device url and not the oidc with callback. --use-device-code do work.

aws sso login --profile xxx --no-browser
Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:

https://oidc.us-east-1.amazonaws.com/authorize?response_type=code&client_id=W

aws sso login --profile xxx --use-device-code
Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:

https://device.sso.us-east-1.amazonaws.com/

Then enter the code:

XXXX-XXXX

aws-cli/2.22.2 Python/3.12.6 Linux/3.10.0-1160.119.1.el7.x86_64 exe/x86_64.rhel.7

ashovlin commented 2 days ago

@ntang-tmx the intended behavior is:

--no-browser controls whether the CLI will attempt to open the authorization link in a browser automatically, for both the device code flow and the new authorization code flow. When this is set, the CLI should just print the link without attempting to open it.
--use-device-code is the new option to fallback to the device code flow, after 2.22.0 change the default behavior to the auth grant with the callback.

Is your first snippet from 2.22.2 as well? I'd expect to see something like this instead:

% aws sso login --profile <profile> --no-browser
Browser will not be automatically opened.
Please visit the following URL:

https://oidc.us-east-1.amazonaws.com/authorize?response_type...

ntang-tmx commented 2 days ago

Indeed, the snippet is from another version. 2.22.2 displays the snippet you showed.

You're right, I did not check the 2.22.0 change from 2 days ago.

ashovlin commented 1 day ago

@ntang-tmx Thanks, so I believe that's working as expected then, but let us know if you're still hitting issues

aws / aws-cli