You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
IAM Identity Center has added support for an authorization_code grant instead of the device_code grant which provides a smoother user experience. The documentation on this is (in keeping with tradition w/AWS SSO) extremely minimal/missing altogether but I found some pretty decent comments inside the aws-toolkit-vscode repository.
You can test out the flow yourself by installing the AWS Visual Studio Code Plug-In and authenticating using the "Workforce" option. Under the hood the extension calls RegisterClient using parameters roughly like this (I've removed the codewhisper scopes):
aws --region us-west-2 sso-oidc register-client --client-name 'AWS IDE Extensions for VSCode' --client-type public --grant-types authorization_code --redirect-uris http://127.0.0.1:50383/oauth/callback --issuer-url https://d-123456.awsapps.com/start --scopes sso:account:access
It then constructs an "authorization" URL which looks like this and opens it in the user's browser:
This page skips the "device code" workflow directly landing the user on a consent screen:
After approving the user sees this message:
Internally, VSCode will take the token (sent to http://127.0.0.1:56369/oauth/callback) and exchange it using the same CreateToken API using the code and codeVerifier parameters instead of the deviceCode parameter.
From my testing the clientName can be adjusted to something like "Granted CLI" and the redirect URI can be adjusted to any localhost port however it must be in the exact form of http://127.0.0.1:<port>/oauth/callback or it will be rejected during the registration call.
The text was updated successfully, but these errors were encountered:
IAM Identity Center has added support for an
authorization_codegrant instead of thedevice_codegrant which provides a smoother user experience. The documentation on this is (in keeping with tradition w/AWS SSO) extremely minimal/missing altogether but I found some pretty decent comments inside the aws-toolkit-vscode repository.You can test out the flow yourself by installing the AWS Visual Studio Code Plug-In and authenticating using the "Workforce" option. Under the hood the extension calls
RegisterClientusing parameters roughly like this (I've removed the codewhisper scopes):aws --region us-west-2 sso-oidc register-client --client-name 'AWS IDE Extensions for VSCode' --client-type public --grant-types authorization_code --redirect-uris http://127.0.0.1:50383/oauth/callback --issuer-url https://d-123456.awsapps.com/start --scopes sso:account:accessIt then constructs an "authorization" URL which looks like this and opens it in the user's browser:
This page skips the "device code" workflow directly landing the user on a consent screen:
After approving the user sees this message:
Internally, VSCode will take the
token(sent tohttp://127.0.0.1:56369/oauth/callback) and exchange it using the same CreateToken API using thecodeandcodeVerifierparameters instead of thedeviceCodeparameter.From my testing the
clientNamecan be adjusted to something like "Granted CLI" and the redirect URI can be adjusted to any localhost port however it must be in the exact form ofhttp://127.0.0.1:<port>/oauth/callbackor it will be rejected during the registration call.The text was updated successfully, but these errors were encountered: