AWS CLI Adds PKCE-based Authorization for SSO

The AWS Command Line Interface (AWS CLI) v2 now supports OAuth 2.0 authorization code flows using the Proof Key for Code Exchange (PKCE) standard. As of version 2.22.0, this new standard is the default behavior when running the aws sso login or aws configure sso commands. The authorization code flow with PKCE is the recommended best practice for access to AWS resources from desktops and mobile devices with web browsers.

Updated behavior

No new configuration is required for the new behavior. Now when you run the updated sso commands you will see a different URL opened by default and printed in the console:

$ aws sso login --profile my-sso-profile
Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:

https://oidc.us-east-1.amazonaws.com/authorize?response_type=code&client_id=clientId&redirect_uri=http%3A%2F%2F127.0.0.1%3A62822%2Foauth%2Fcallback&state=3593bb11-2407-4d41-8bae-4f121d6d8a5d&code_challenge_method=S256&scopes=sso%3Aaccount%3Aaccess&code_challenge=codeChallenge

You may need to use the previous workflow, which uses the OAuth 2.0 device authorization grant, in environments where the AWS CLI is unable to launch a browser or receive the OAuth callback that is used in the authorization code flow. To continue using the previous workflow specify the new --use-device-code option for either aws sso login or aws configure sso:

$ aws sso login --profile my-sso-profile --use-device-code

Next steps

To take advantage of this new SSO behavior, upgrade your version of the AWS CLI to 2.22.0. You can refer to the Configuring IAM Identity Center authentication with the AWS CLI guide for more information, and please share your questions, comments, and issues with us on GitHub.

About the author: