sso: use new 'confirm match' device code flow (#3829)

nkomonen-amazon · web-flow · commit a9eb3b5ba199 · 2023-09-15T16:48:04.000Z
Problem:

Before this commit, the BuilderID/Identity Center sso flow
would require the user to copy a code and paste it in the
browser window to confirm their device.

Solution:

Now, with new changes from the identity team, if we pass
the device code in the URL a different flow will be shown
in the browser which asks them to instead confirm the
code instead of pasting it.

- This commit has users go through the new flow
- Copying code functionality is removed
- The information messages are updated to mention the requirement
  to confirm the code in the browser

Signed-off-by: nkomonen &lt;nkomonen@amazon.com&gt;
diff --git a/src/auth/sso/model.ts b/src/auth/sso/model.ts
@@ -86,43 +86,51 @@ export function truncateStartUrl(startUrl: string) {
     return startUrl.match(/https?:\/\/(.*)\.awsapps\.com\/start/)?.[1] ?? startUrl
 }
 
-export async function openSsoPortalLink(
-    startUrl: string,
-    authorization: { readonly verificationUri: string; readonly userCode: string }
-): Promise<boolean> {
-    async function copyCodeAndOpenLink() {
-        await vscode.env.clipboard.writeText(authorization.userCode).then(undefined, err => {
-            getLogger().warn(`auth: failed to copy user code "${authorization.userCode}" to clipboard: %s`, err)
-        })
-
-        const didOpen = await vscode.env.openExternal(vscode.Uri.parse(authorization.verificationUri))
-        if (!didOpen) {
+type Authorization = { readonly verificationUri: string; readonly userCode: string }
+
+export const proceedToBrowser = localize('AWS.auth.loginWithBrowser.proceedToBrowser', 'Proceed To Browser')
+
+export async function openSsoPortalLink(startUrl: string, authorization: Authorization): Promise<boolean> {
+    /**
+     * Depending on the verification URL + parameters used, the way the sso login flow works changes.
+     * Previously, users were asked to copy and paste a device code in to the browser page.
+     *
+     * Now, with the URL this function creates, the user will instead be asked to confirm the device code
+     * in the browser.
+     */
+    function makeConfirmCodeUrl(authorization: Authorization): vscode.Uri {
+        return vscode.Uri.parse(`${authorization.verificationUri}?user_code=${authorization.userCode}`)
+    }
+
+    async function openSsoUrl() {
+        const ssoLoginUrl = makeConfirmCodeUrl(authorization)
+        const didOpenUrl = await vscode.env.openExternal(ssoLoginUrl)
+
+        if (!didOpenUrl) {
             throw new ToolkitError(`User clicked 'Copy' or 'Cancel' during the Trusted Domain popup`, {
                 code: trustedDomainCancellation,
                 name: trustedDomainCancellation,
             })
         }
-        return didOpen
+        return didOpenUrl
     }
 
     async function showLoginNotification() {
         const name = startUrl === builderIdStartUrl ? localizedText.builderId() : localizedText.iamIdentityCenterFull()
-        const title = localize('AWS.auth.loginWithBrowser.messageTitle', 'Copy Code for {0}', name)
+        const title = localize('AWS.auth.loginWithBrowser.messageTitle', 'Confirm Code for {0}', name)
         const detail = localize(
             'AWS.auth.loginWithBrowser.messageDetail',
-            'To proceed, open the login page and provide this code to confirm the access request: {0}',
+            'Confirm this code in the browser: {0}',
             authorization.userCode
         )
-        const copyCode = localize('AWS.auth.loginWithBrowser.copyCodeAction', 'Copy Code and Proceed')
-        const options = { modal: true, detail } as vscode.MessageOptions
 
         while (true) {
             // TODO: add the 'Help' item back once we have a suitable URL
             // const resp = await vscode.window.showInformationMessage(title, options, copyCode, localizedText.help)
-            const resp = await vscode.window.showInformationMessage(title, options, copyCode)
+            const resp = await vscode.window.showInformationMessage(title, { modal: true, detail }, proceedToBrowser)
             switch (resp) {
-                case copyCode:
-                    return copyCodeAndOpenLink()
+                case proceedToBrowser:
+                    return openSsoUrl()
                 case localizedText.help:
                     await tryOpenHelpUrl(ssoAuthHelpUrl)
                     continue
diff --git a/src/auth/sso/ssoAccessTokenProvider.ts b/src/auth/sso/ssoAccessTokenProvider.ts
@@ -234,7 +234,7 @@ async function pollForTokenWithProgress<T>(
         {
             title: localize(
                 'AWS.auth.loginWithBrowser.messageDetail',
-                'Login page opened in browser. When prompted, provide this code: {0}',
+                'Confirm code "{0}" in the login page opened in your web browser.',
                 authorization.userCode
             ),
             cancellable: true,
diff --git a/src/test/credentials/sso/model.test.ts b/src/test/credentials/sso/model.test.ts
@@ -4,10 +4,8 @@
  */
 
 import assert from 'assert'
-import * as vscode from 'vscode'
-import { openSsoPortalLink } from '../../../auth/sso/model'
+import { openSsoPortalLink, proceedToBrowser } from '../../../auth/sso/model'
 import { assertTelemetry } from '../../testUtil'
-import { CancellationError } from '../../../shared/utilities/timeoutUtils'
 import { getOpenExternalStub } from '../../globalSetup.test'
 import { getTestWindow } from '../../shared/vscode/window'
 
@@ -19,16 +17,16 @@ describe('openSsoPortalLink', function () {
     const userCode = 'user-code'
     const verificationUri = 'https://example.com/'
     async function runFlow(...actions: ('open' | 'help' | 'cancel')[]) {
-        const copyCode = /copy code/i
+        const confirmCode = /Confirm Code for/
         const waitForMessage = async (): Promise<void> =>
             getTestWindow()
-                .waitForMessage(copyCode)
+                .waitForMessage(confirmCode)
                 .then(m => {
                     assert.ok(m.detail?.includes(userCode), 'Expected message to show the user verification code')
 
                     const action = actions.shift()
                     if (action === 'open') {
-                        m.selectItem(copyCode)
+                        m.selectItem(proceedToBrowser)
                     } else if (action === 'help') {
                         m.selectItem(/help/i)
                         return waitForMessage()
@@ -40,24 +38,13 @@ describe('openSsoPortalLink', function () {
         await Promise.all([waitForMessage(), openSsoPortalLink('', { verificationUri, userCode })])
     }
 
-    it('copies to the clipboard and opens a link when selecting the open URL option', async function () {
+    it('opens a "confirm code" link when selecting the open URL option', async function () {
         await runFlow('open')
         assert.ok(getOpenExternalStub().calledOnce)
-        assert.strictEqual(getOpenExternalStub().args[0].toString(), verificationUri)
-        assert.strictEqual(await vscode.env.clipboard.readText(), userCode)
+        assert.strictEqual(getOpenExternalStub().args[0].toString(), `${verificationUri}?user_code%3D${userCode}`)
         assertTelemetry('aws_loginWithBrowser', { result: 'Succeeded' })
     })
 
-    it('does not copy code to clipboard or opens links if the user cancels', async function () {
-        // This isn't mocked/stubbed so it'll clear the test runners clipboard
-        await vscode.env.clipboard.writeText('')
-        const result = await runFlow('cancel').catch(e => e)
-        assert.ok(getOpenExternalStub().notCalled)
-        assert.ok(result instanceof CancellationError)
-        assert.strictEqual(await vscode.env.clipboard.readText(), '')
-        assertTelemetry('aws_loginWithBrowser', { result: 'Cancelled', reason: 'user' })
-    })
-
     it('continues to show the notification if the user selects help', async function () {
         this.skip()
         await runFlow('help', 'open')
diff --git a/src/test/credentials/sso/ssoAccessTokenProvider.test.ts b/src/test/credentials/sso/ssoAccessTokenProvider.test.ts
@@ -12,7 +12,7 @@ import { getCache } from '../../../auth/sso/cache'
 
 import { instance, mock, when, anything, reset } from '../../utilities/mockito'
 import { makeTemporaryToolkitFolder, tryRemoveFolder } from '../../../shared/filesystemUtilities'
-import { ClientRegistration, SsoToken } from '../../../auth/sso/model'
+import { ClientRegistration, SsoToken, proceedToBrowser } from '../../../auth/sso/model'
 import { OidcClient } from '../../../auth/sso/clients'
 import { CancellationError } from '../../../shared/utilities/timeoutUtils'
 import {
@@ -189,7 +189,7 @@ describe('SsoAccessTokenProvider', function () {
     describe('createToken', function () {
         beforeEach(function () {
             getTestWindow().onDidShowMessage(m => {
-                if (m.items[0]?.title.match(/copy code/i)) {
+                if (m.items[0]?.title.match(proceedToBrowser)) {
                     m.items[0].select()
                 }
             })

Original file line number	Diff line number	Diff line change
`@@ -234,7 +234,7 @@ async function pollForTokenWithProgress<T>(`
`234`	`234`	`{`
`235`	`235`	`title: localize(`
`236`	`236`	`'AWS.auth.loginWithBrowser.messageDetail',`
`237`		`- 'Login page opened in browser. When prompted, provide this code: {0}',`
	`237`	`+ 'Confirm code "{0}" in the login page opened in your web browser.',`
`238`	`238`	`authorization.userCode`
`239`	`239`	`),`
`240`	`240`	`cancellable: true,`