Unable to access SSO credentials due to msimatch in hashing behavior compared to the AWS CLI #3412
Description
Describe the bug
If the sso_start_url ends with /#, then there's a difference in the hashes computed by aws sso login (which includes the #) and this CPP client (which excludes the #). These hashes are used as the filenames in ~/.aws/sso/cache/*.json, so the CPP client can't find the sso cache file, so it fails to connect and prints a 403 error.
Regression Issue
- Select this option if this issue appears to be a regression.
Expected Behavior
After I run aws sso login and aws s3 ls (both successful), I can also access S3 resources using this CPP client.
Current Behavior
Despite aws sso login and aws s3 ls both succeeding, the CPP client reports the error:
[ERROR] 2025-05-07 16:24:48.374 AWSXmlClient [131720638338688] HTTP response code: 403
Resolved remote host IP address: 52.219.93.58
Request ID: TPGTKY5PXV0B0BRG
Exception name: AccessDenied
Error message: AccessDenied
Reproduction Steps
Use a sso_start_url that ends with # in ~/.aws/config.
(If you already have cached credentials for that start url without the #, also delete the caches.)
Possible Solution
From the behavior I've seen, I suspect that GetCachedConfigProfile is normalizing the url (removing the trailing #) before its hashed by SSOCredentialsProvider. It should be normalizing after hashing, instead.
Additional Information/Context
No response
AWS CPP SDK version used
1.11.555
Compiler and Version used
clang v16.0.6
Operating System and version
Linux Mint 22.1 (essentially equivalent to Ubuntu 24.04)