Changed the default value of SSOAWSCredentialsOptions.SupportsGettingNewToken as false and improved error messaging if required SSO options are missing while generating new credentials.

Author: ashishdhingra

generator/.DevConfigs/b39b85e0-42cc-4aac-a699-8dd1795a5fb0.json

@@ -0,0 +1,9 @@
+{
+    "core": {
+      "changeLogMessages": [
+        "Changed the default value of SSOAWSCredentialsOptions.SupportsGettingNewToken as false and improved error messaging if required SSO options are missing while generating new credentials."
+      ],
+        "type": "patch",
+        "updateMinimum": true
+    }
+}

sdk/src/Core/Amazon.Runtime/Credentials/Internal/_bcl+netstandard/SSOTokenManager.cs

@@ -15,6 +15,7 @@
 
 using System;
 using System.Collections.Concurrent;
+using System.Collections.Generic;
 using System.Net;
 using System.Threading;
 using System.Threading.Tasks;
@@ -220,7 +221,8 @@ public SsoToken GetToken(SSOTokenManagerGetTokenOptions options)
                     }
                     catch (Exception ex)
                     {
-                        _logger.Error(ex, $"Refreshing SSOToken for [{options.StartUrl}] failed: {ex.Message}");
+                        // Exception message from SSOIDC client has text along with HTTP Body as JSON string.
+                        _logger.Error(ex, $"Refreshing SSOToken for [{options.StartUrl}] failed: {ex.Message.Replace("{", "{{").Replace("}", "}}")}");
                         //if refreshing the token failed that means the refresh token was expired.
                         //if the refresh token is expired and access token is expired and if the user specifies a callback with 
                         //option.SupportsGettingNewToken is true then we will generate a new token.
@@ -484,7 +486,8 @@ public async Task<SsoToken> GetTokenAsync(SSOTokenManagerGetTokenOptions options
                     }
                     catch (Exception ex)
                     {
-                        _logger.Error(ex, $"Refreshing SSOToken for [{options.Session}] failed: {ex.Message}");
+                        // Exception message from SSOIDC client has text along with HTTP Body as JSON string.
+                        _logger.Error(ex, $"Refreshing SSOToken for [{options.Session}] failed: {ex.Message.Replace("{", "{{").Replace("}", "}}")}");
                         if (ssoToken.IsExpired() && options.SupportsGettingNewToken)
                         {
                             return await GenerateNewTokenAsync(options, cancellationToken).ConfigureAwait(false);
@@ -612,24 +615,11 @@ public async Task LogoutAsync(SSOTokenManagerGetTokenOptions options, Cancellati
 
         private async Task<SsoToken> GenerateNewTokenAsync(SSOTokenManagerGetTokenOptions options, CancellationToken cancellationToken = default)
         {
-            if (string.IsNullOrEmpty(options.ClientName))
-            {
-                throw new ArgumentNullException($"Options property cannot be empty: {nameof(options.ClientName)}");
-            }
+            var emptyProperties = GetEmptySSOTokenOptions(options);
 
-            if (options.PkceFlowOptions == null)
-            {
-                if (options.SsoVerificationCallback == null)
-                {
-                    throw new ArgumentNullException($"Options property cannot be empty: {nameof(options.SsoVerificationCallback)}");
-                }
-            }
-            else
+            if (emptyProperties.Count > 0)
             {
-                if (options.PkceFlowOptions.RetrieveAuthorizationCodeCallbackAsync == null)
-                {
-                    throw new ArgumentNullException($"Options property cannot be empty: {nameof(options.PkceFlowOptions.RetrieveAuthorizationCodeCallbackAsync)}");
-                }
+                throw new AmazonClientException($"Error generating new SSO token. Options properties cannot be empty: {string.Join(", ", emptyProperties)}");
             }
 
             var request = new GetSsoTokenRequest
@@ -664,6 +654,33 @@ private async Task<SsoToken> GenerateNewTokenAsync(SSOTokenManagerGetTokenOption
 
             return token;
         }
+
+        private static List<string> GetEmptySSOTokenOptions(SSOTokenManagerGetTokenOptions options)
+        {
+            var emptyProperties = new List<string>();
+
+            if (string.IsNullOrEmpty(options.ClientName))
+            {
+                emptyProperties.Add(nameof(options.ClientName));
+            }
+
+            if (options.PkceFlowOptions == null)
+            {
+                if (options.SsoVerificationCallback == null)
+                {
+                    emptyProperties.Add(nameof(options.SsoVerificationCallback));
+                }
+            }
+            else
+            {
+                if (options.PkceFlowOptions.RetrieveAuthorizationCodeCallbackAsync == null)
+                {
+                    emptyProperties.Add(nameof(options.PkceFlowOptions.RetrieveAuthorizationCodeCallbackAsync));
+                }
+            }
+
+            return emptyProperties;
+        }
 #endif
 
         private static SsoToken MapGetSsoTokenResponseToSsoToken(GetSsoTokenResponse response, string session)

sdk/src/Core/Amazon.Runtime/Credentials/_bcl+netstandard/SSOAWSCredentialsOptions.cs

@@ -94,7 +94,7 @@ public class SSOAWSCredentialsOptions
         /// NOTE: If setting to <c>true</c>, either <see cref="SsoVerificationCallback"/> or <see cref="PkceFlowOptions"/> must 
         /// also be set for authorization flow to succeed.
         /// </summary>
-        public bool SupportsGettingNewToken { get; set; } = true;
+        public bool SupportsGettingNewToken { get; set; } = false;
 
         /// <summary>
         /// The proxy settings to use when calling SSOOIDC and SSO Services.