AWS Developer Tools Blog
AWS CLI Adds PKCE-based Authorization for SSO
The AWS Command Line Interface (AWS CLI) v2 now supports OAuth 2.0 authorization code flows using the Proof Key for Code Exchange (PKCE) standard. As of version 2.22.0, this new standard is the default behavior when running the aws sso login
or aws configure sso
commands. The authorization code flow with PKCE is the recommended best practice for access to AWS resources from desktops and mobile devices with web browsers.
Updated behavior
No new configuration is required for the new behavior. Now when you run the updated sso commands you will see a different URL opened by default and printed in the console:
$ aws sso login --profile my-sso-profile
Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:
https://oidc.us-east-1.amazonaws.com/authorize?response_type=code&client_id=clientId&redirect_uri=http%3A%2F%2F127.0.0.1%3A62822%2Foauth%2Fcallback&state=3593bb11-2407-4d41-8bae-4f121d6d8a5d&code_challenge_method=S256&scopes=sso%3Aaccount%3Aaccess&code_challenge=codeChallenge
You may need to use the previous workflow, which uses the OAuth 2.0 device authorization grant, in environments where the AWS CLI is unable to launch a browser or receive the OAuth callback that is used in the authorization code flow. To continue using the previous workflow specify the new --use-device-code
option for either aws sso login
or aws configure sso
:
$ aws sso login --profile my-sso-profile --use-device-code
Next steps
To take advantage of this new SSO behavior, upgrade your version of the AWS CLI to 2.22.0. You can refer to the Configuring IAM Identity Center authentication with the AWS CLI guide for more information, and please share your questions, comments, and issues with us on GitHub.
About the author: