bug: v1.19.4 IAM Identity Center Authentication Regression - InvalidGrantException

[cloudgenie101]

Checks

• I have searched github.com/aws/amazon-q-developer-cli/issues and there are no duplicates of my issue
• I have run q doctor in the affected terminal session
• I have run q restart and replicated the issue again

Operating system

WSL2 Ubuntu 24.04.2 LTS & macOS ARM64 (replicated)

Expected behaviour

After successful browser authentication with IAM Identity Center, Q CLI should complete login successfully, as it did in v1.19.2.

Actual behaviour

After upgrading from v1.19.2 to v1.19.4, IAM Identity Center authentication fails with InvalidGrantException despite successful browser authentication.

WSL2 Ubuntu error:

Logging in...error: service error
Service: AWS SSO OIDC (com.amazonaws.sso.oidc)
Error: AccessDeniedException - access_denied
HTTP Status: 400

Replicated error (macOS):

error: service error
   1: InvalidGrantException
   2: InvalidGrantException

Location:
   crates/q_cli/src/cli/user.rs:292

Additional context

What works:

• ✅ BuilderID authentication (q login) works in v1.19.4
• ✅ AWS CLI with same IAM Identity Center credentials works
• ✅ Browser authentication step completes successfully
• ✅ v1.19.2 worked for customer with IAM Identity Center

What fails:

• ❌ IAM Identity Center authentication in v1.19.4
• ❌ OAuth token exchange after browser auth

Code analysis:

Comparing v1.19.3 to v1.19.4, the only authentication-related changes are in crates/chat-cli/src/auth/builder_id.rs (lines 435-455, 573-588), which added telemetry to the authentication error handling path. This correlates with the failure timing, though the telemetry code executes after errors occur, so it may be exposing rather than causing the underlying issue.

Impact:

• Severity: High
• Affected: IAM Identity Center users only
• Scope: Enterprise customers using AWS SSO

Workaround:

Downgrade to v1.19.2:

wget https://github.com/aws/amazon-q-developer-cli/releases/download/v1.19.2/amazon-q-linux-x64.tar.gz
tar -xzf amazon-q-linux-x64.tar.gz
sudo mv q /usr/local/bin/

Or use BuilderID temporarily:

q logout
q login  # Use BuilderID instead

Request for investigation:

• Review v1.19.4 authentication changes
• Test IAM Identity Center authentication specifically
• Investigate Request ID: 0ea8455a-d8b8-4d02-a06f-920e6501d44e

Steps to reproduce

1. Configure IAM Identity Center with valid credentials
2. Verify AWS CLI works: aws sso login --profile YOUR-PROFILE --use-device-code
3. Run Q CLI login:

q login --license pro \
  --identity-provider https://YOUR-ORG.awsapps.com/start \
  --region YOUR-REGION

4. Complete browser authentication successfully
5. Observe error in terminal

Environment

**Customer environment:**

version = "1.19.4"
os = "WSL2 Ubuntu 24.04.2 LTS"
authentication = "IAM Identity Center"
working_version = "1.19.2"


**Replication environment:**

version = "1.19.4"
os = "macOS ARM64"
authentication = "IAM Identity Center"