search

common-fate / granted

The easiest way to access your cloud.
https://granted.dev
MIT License
1.13k stars 102 forks source link

Add support for 'Authorization Code Grant with PKCE' #779

Open lyoung-confluent opened 1 month ago

lyoung-confluent commented 1 month ago

IAM Identity Center has added support for an authorization_code grant instead of the device_code grant which provides a smoother user experience. The documentation on this is (in keeping with tradition w/AWS SSO) extremely minimal/missing altogether but I found some pretty decent comments inside the aws-toolkit-vscode repository.

You can test out the flow yourself by installing the AWS Visual Studio Code Plug-In and authenticating using the "Workforce" option. Under the hood the extension calls RegisterClient using parameters roughly like this (I've removed the codewhisper scopes):

aws --region us-west-2 sso-oidc register-client --client-name 'AWS IDE Extensions for VSCode' --client-type public --grant-types authorization_code --redirect-uris http://127.0.0.1:50383/oauth/callback --issuer-url https://d-123456.awsapps.com/start --scopes sso:account:access

It then constructs an "authorization" URL which looks like this and opens it in the user's browser:

https://oidc.us-west-2.amazonaws.com/authorize?response_type=code&client_id=<removed>&redirect_uri=http://127.0.0.1:56369/oauth/callback&scopes=sso:account:access&state=552998d0-4b83-44c3-b022-aa02005a7bd9&code_challenge=CaN1lc6CfmPsJSrYcVa68HdoA1fQIeI5Een_1a9sVA0&code_challenge_method=S256

This page skips the "device code" workflow directly landing the user on a consent screen:

image

After approving the user sees this message: image

Internally, VSCode will take the token (sent to http://127.0.0.1:56369/oauth/callback) and exchange it using the same CreateToken API using the code and codeVerifier parameters instead of the deviceCode parameter.

From my testing the clientName can be adjusted to something like "Granted CLI" and the redirect URI can be adjusted to any localhost port however it must be in the exact form of http://127.0.0.1:<port>/oauth/callback or it will be rejected during the registration call.

lyoung-confluent commented 1 week ago

https://aws.amazon.com/about-aws/whats-new/2024/11/aws-command-line-interface-pkce-single-sign-on/

ravron commented 5 days ago

This AWS CLI commit implements the authorization code flow and may serve as a useful guide.