Support device_code or authorization_code, not both#1361
Conversation
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #1361 +/- ##
==========================================
+ Coverage 88.50% 88.52% +0.02%
==========================================
Files 54 54
Lines 3643 3649 +6
==========================================
+ Hits 3224 3230 +6
Misses 289 289
Partials 130 130
Flags with carried forward coverage won't be shown. Click here to find out more.
Continue to review full report in Codecov by Sentry.
🚀 New features to boost your workflow:
|
There was a problem hiding this comment.
Pull request overview
This PR addresses a regression where some AWS IAM Identity Center (SSO OIDC) configurations reject RegisterClient requests that include both device_code and authorization_code grant types, causing InvalidScopeException during aws-sso login. It updates client registration to request workflow-appropriate grant types (plus refresh_token) and forces re-registration for previously registered clients that used the problematic combination.
Changes:
- Make
RegisterClientrequest eitherdevice_code+refresh_tokenorauthorization_code+refresh_token, depending on the configured auth workflow. - Add logic to detect “bad” historical registrations (v2.2.0/2.2.1) and transparently force a new registration.
- Update tests and release metadata (version bump + changelog entry).
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
| Makefile | Bumps project version to 2.2.2. |
| internal/storage/storage.go | Adds SupportsGrantType and uses it for grant-type compatibility checks (including v2.2.0/2.2.1 migration behavior). |
| internal/storage/storage_test.go | Adds unit test coverage for SupportsGrantType. |
| internal/sso/auth/awssso_auth.go | Makes grant-type registration workflow-specific; adjusts validation logic; introduces scope constant; changes logout error handling. |
| internal/sso/auth/awssso_auth_test.go | Updates workflow grant-type expectations and expands ValidAuthToken tests for PKCE vs device-code. |
| CHANGELOG.md | Adds v2.2.2 entry and updates compare links. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| func (r *RegisterClientData) SupportsGrantType(gt GrantType) bool { | ||
| if len(r.GrantTypes) > 2 { | ||
| // Hack to deal with v2.2.0/2.2.1 bug where we supported all 3 grant types | ||
| // but some AWS SSO configs did not like authorization_code + device_code together | ||
| // see: https://github.com/synfinatic/aws-sso-cli/issues/1359 | ||
| return false | ||
| } | ||
| for _, g := range r.GrantTypes { |
synfinatic
force-pushed
the
limit-granttypes
branch
from
69c04c4 to
3f45502
Compare
Apparently some AWS SSO instances throw an API error if the client tries to register using both device_code and authorization_code. This change forces the client to always register one or the other + refresh_token support. Existing clients which have support for all 3 will be re-registed with 2. Fixes: #1359
synfinatic
force-pushed
the
limit-granttypes
branch
from
3f45502 to
fe69197
Compare
Apparently some AWS SSO instances throw an API error if the client tries to register using both device_code and authorization_code.
This change forces the client to always register one or the other + refresh_token support. Existing clients which have support for all 3 will be re-registed with 2.
Fixes: #1359