feat: Enable Authorization Code + PKCE flow (#4974)

* remove PKCE feature flag

- Now we run Device Code if we are in an ssh workspace
- Otherwise we run the Authorization code flow

Signed-off-by: Nikolas Komonen <[email protected]>

* use new oidc client, remove our temp one

Since the new OIDC client with Authorization Code flow was
not released we had to use a pre-build version.

Now that the new client is released we can actually use it.

Solution:

This commit removes the old temp OIDC client and simply uses
our existing one with minor modifications to get things working.

Also we were required to update some transitive dependencies which
is why there are 'smithy' related dependency changes

Signed-off-by: Nikolas Komonen <[email protected]>

* get tests working + changelog items

Signed-off-by: Nikolas Komonen <[email protected]>

---------

Signed-off-by: Nikolas Komonen <[email protected]>

Author: nkomonen-amazon

package-lock.json

@@ -0,0 +1,4 @@
+{
+	"type": "Feature",
+	"description": "New SSO Authorization Code flow for faster logins"
+}

packages/amazonq/.changes/next-release/Feature-1fd5f451-8d50-4e44-b17e-d0cb77ca0c5e.json

@@ -4042,7 +4042,7 @@
         "@aws-sdk/client-cognito-identity": "3.490.0",
         "@aws-sdk/client-lambda": "3.385.0",
         "@aws-sdk/client-sso": "^3.342.0",
-        "@aws-sdk/client-sso-oidc": "^3.181.0",
+        "@aws-sdk/client-sso-oidc": "^3.574.0",
         "@aws-sdk/credential-provider-ini": "3.46.0",
         "@aws-sdk/credential-provider-process": "3.37.0",
         "@aws-sdk/credential-provider-sso": "^3.345.0",
@@ -4052,7 +4052,11 @@
         "@aws/mynah-ui": "^4.8.0",
         "@gerhobbelt/gitignore-parser": "^0.2.0-9",
         "@iarna/toml": "^2.2.5",
+        "@smithy/middleware-retry": "^2.3.1",
+        "@smithy/protocol-http": "^3.3.0",
+        "@smithy/service-error-classification": "^2.1.5",
         "@smithy/shared-ini-file-loader": "^2.2.8",
+        "@smithy/util-retry": "^2.2.0",
         "@vscode/debugprotocol": "^1.57.0",
         "adm-zip": "^0.5.10",
         "amazon-s3-uri": "^0.1.1",

packages/core/package.json

@@ -245,10 +245,6 @@ void (async () => {
             serviceJsonPath: 'src/amazonqFeatureDev/client/codewhispererruntime-2022-11-11.json',
             serviceName: 'FeatureDevProxyClient',
         },
-        {
-            serviceJsonPath: 'src/auth/sso/service-2.json',
-            serviceName: 'OidcClientPKCE',
-        },
     ]
     await generateServiceClients(serviceClientDefinitions)
 })()

packages/core/scripts/build/generateServiceClient.ts

@@ -31,19 +31,15 @@ import { SsoAccessTokenProvider } from './ssoAccessTokenProvider'
 import { isClientFault } from '../../shared/errors'
 import { DevSettings } from '../../shared/settings'
 import { SdkError } from '@aws-sdk/types'
-import { HttpRequest, HttpResponse } from '@aws-sdk/protocol-http'
-import { StandardRetryStrategy, defaultRetryDecider } from '@aws-sdk/middleware-retry'
-import OidcClientPKCE from './oidcclientpkce'
+import { HttpRequest, HttpResponse } from '@smithy/protocol-http'
+import { StandardRetryStrategy, defaultRetryDecider } from '@smithy/middleware-retry'
+import { AuthenticationFlow } from './model'
 import { toSnakeCase } from '../../shared/utilities/textUtilities'
-import { Credentials, Service } from 'aws-sdk'
-import apiConfig = require('./service-2.json')
-import { ServiceOptions } from '../../shared/awsClientBuilder'
-import { ClientRegistration } from './model'
 
 export class OidcClient {
     public constructor(private readonly client: SSOOIDC, private readonly clock: { Date: typeof Date }) {}
 
-    public async registerClient(request: RegisterClientRequest) {
+    public async registerClient(request: RegisterClientRequest, flow?: AuthenticationFlow) {
         const response = await this.client.registerClient(request)
         assertHasProps(response, 'clientId', 'clientSecret', 'clientSecretExpiresAt')
 
@@ -52,6 +48,7 @@ export class OidcClient {
             clientId: response.clientId,
             clientSecret: response.clientSecret,
             expiresAt: new this.clock.Date(response.clientSecretExpiresAt * 1000),
+            ...(flow ? { flow } : {}),
         }
     }
 
@@ -66,6 +63,23 @@ export class OidcClient {
         }
     }
 
+    public async authorize(request: {
+        responseType: string
+        clientId: string
+        redirectUri: string
+        scopes: string[]
+        state: string
+        codeChallenge: string
+        codeChallengeMethod: string
+    }) {
+        // aws sdk doesn't convert to url params until right before you make the request, so we have to do
+        // it manually ahead of time
+        const params = toSnakeCase(request)
+        const searchParams = new URLSearchParams(params).toString()
+        const region = await this.client.config.region()
+        return `https://oidc.${region}.amazonaws.com/authorize?${searchParams}`
+    }
+
     public async createToken(request: CreateTokenRequest) {
         const response = await this.client.createToken(request as CreateTokenRequest)
         assertHasProps(response, 'accessToken', 'expiresIn')
@@ -100,79 +114,6 @@ export class OidcClient {
     }
 }
 
-export class OidcClientV2 {
-    public constructor(private readonly region: string, private readonly clock: { Date: typeof Date }) {}
-
-    /**
-     * TODO remove this when the real client gets created.
-     *
-     * Creating a new client is required because the old sdk seems to drop unknown parameters from requests
-     */
-    private async createNewClient() {
-        return (await globals.sdkClientBuilder.createAwsService(
-            Service,
-            {
-                apiConfig,
-                region: this.region,
-                credentials: new Credentials({ accessKeyId: 'xxx', secretAccessKey: 'xxx' }),
-            } as ServiceOptions,
-            undefined
-        )) as OidcClientPKCE
-    }
-
-    public async registerClient(request: OidcClientPKCE.RegisterClientRequest): Promise<ClientRegistration> {
-        const client = await this.createNewClient()
-        const response = await client.makeUnauthenticatedRequest('registerClient', request).promise()
-        assertHasProps(response, 'clientId', 'clientSecret', 'clientSecretExpiresAt')
-
-        return {
-            scopes: request.scopes,
-            clientId: response.clientId,
-            clientSecret: response.clientSecret,
-            expiresAt: new this.clock.Date(response.clientSecretExpiresAt * 1000),
-            flow: 'auth code',
-        }
-    }
-
-    public async authorize(request: OidcClientPKCE.AuthorizeRequest) {
-        // aws sdk doesn't convert to url params until right before you make the request, so we have to do
-        // it manually ahead of time
-        const params = toSnakeCase(request)
-        const searchParams = new URLSearchParams(params).toString()
-        return `https://oidc.${this.region}.amazonaws.com/authorize?${searchParams}`
-    }
-
-    public async startDeviceAuthorization(request: StartDeviceAuthorizationRequest): Promise<{
-        expiresAt: Date
-        interval: number | undefined
-        deviceCode: string
-        userCode: string
-        verificationUri: string
-    }> {
-        throw new Error('OidcClientV2 does not support device authorization')
-    }
-
-    public async createToken(request: OidcClientPKCE.CreateTokenRequest): Promise<{
-        accessToken: string
-        expiresAt: Date
-        tokenType?: string | undefined
-        refreshToken?: string | undefined
-    }> {
-        const client = await this.createNewClient()
-        const response = await client.makeUnauthenticatedRequest('createToken', request).promise()
-        assertHasProps(response, 'accessToken', 'expiresIn')
-
-        return {
-            ...selectFrom(response, 'accessToken', 'refreshToken', 'tokenType'),
-            expiresAt: new this.clock.Date(response.expiresIn * 1000 + this.clock.Date.now()),
-        }
-    }
-
-    public static create(region: string) {
-        return new this(region, globals.clock)
-    }
-}
-
 type OmittedProps = 'accessToken' | 'nextToken'
 type ExtractOverload<T, U> = T extends {
     (...args: infer P1): infer R1

packages/core/src/auth/sso/clients.ts

@@ -5,7 +5,12 @@
 
 import * as vscode from 'vscode'
 import globals from '../../shared/extensionGlobals'
-import { AuthorizationPendingException, SSOOIDCServiceException, SlowDownException } from '@aws-sdk/client-sso-oidc'
+import {
+    AuthorizationPendingException,
+    CreateTokenRequest,
+    SSOOIDCServiceException,
+    SlowDownException,
+} from '@aws-sdk/client-sso-oidc'
 import {
     SsoToken,
     ClientRegistration,
@@ -18,7 +23,7 @@ import {
 } from './model'
 import { getCache } from './cache'
 import { hasProps, hasStringProps, RequiredProps, selectFrom } from '../../shared/utilities/tsUtils'
-import { OidcClient, OidcClientV2 } from './clients'
+import { OidcClient } from './clients'
 import { loadOr } from '../../shared/utilities/cacheUtils'
 import {
     ToolkitError,
@@ -33,13 +38,12 @@ import { AwsLoginWithBrowser, AwsRefreshCredentials, Metric, telemetry } from '.
 import { indent } from '../../shared/utilities/textUtilities'
 import { AuthSSOServer } from './server'
 import { CancellationError, sleep } from '../../shared/utilities/timeoutUtils'
-import OidcClientPKCE from './oidcclientpkce'
 import { getIdeProperties, isCloud9 } from '../../shared/extensionUtilities'
 import { randomBytes, createHash } from 'crypto'
 import { UriHandler } from '../../shared/vscode/uriHandler'
-import { DevSettings } from '../../shared/settings'
 import { localize } from '../../shared/utilities/vsCodeUtils'
 import { randomUUID } from '../../common/crypto'
+import { isRemoteWorkspace } from '../../shared/vscode/env'
 
 export const authenticationPath = 'sso/authenticated'
 
@@ -98,7 +102,7 @@ export abstract class SsoAccessTokenProvider {
     public constructor(
         protected readonly profile: Pick<SsoProfile, 'startUrl' | 'region' | 'scopes' | 'identifier'>,
         protected readonly cache = getCache(),
-        protected readonly oidc: OidcClient | OidcClientV2 = OidcClient.create(profile.region)
+        protected readonly oidc: OidcClient = OidcClient.create(profile.region)
     ) {}
 
     public async invalidate(): Promise<void> {
@@ -249,12 +253,13 @@ export abstract class SsoAccessTokenProvider {
     public static create(
         profile: Pick<SsoProfile, 'startUrl' | 'region' | 'scopes' | 'identifier'>,
         cache = getCache(),
-        oidc: OidcClient = OidcClient.create(profile.region)
+        oidc: OidcClient = OidcClient.create(profile.region),
+        useDeviceFlow: () => boolean = isRemoteWorkspace
     ) {
-        if (!DevSettings.instance.get('pkceAuth', false)) {
+        if (useDeviceFlow()) {
             return new DeviceFlowAuthorization(profile, cache, oidc)
         }
-        return new AuthFlowAuthorization(profile, cache, OidcClientV2.create(profile.region))
+        return new AuthFlowAuthorization(profile, cache, oidc)
     }
 }
 
@@ -403,22 +408,25 @@ class AuthFlowAuthorization extends SsoAccessTokenProvider {
     constructor(
         profile: Pick<SsoProfile, 'startUrl' | 'region' | 'scopes' | 'identifier'>,
         cache = getCache(),
-        protected override readonly oidc: OidcClientV2
+        oidc: OidcClient
     ) {
         super(profile, cache, oidc)
     }
 
     override async registerClient(): Promise<ClientRegistration> {
         const companyName = getIdeProperties().company
-        return this.oidc.registerClient({
-            // All AWS extensions (Q, Toolkit) for a given IDE use the same client name.
-            clientName: isCloud9() ? `${companyName} Cloud9` : `${companyName} IDE Extensions for VSCode`,
-            clientType: clientRegistrationType,
-            scopes: this.profile.scopes,
-            grantTypes: [authorizationGrantType, refreshGrantType],
-            redirectUris: ['http://127.0.0.1/oauth/callback'],
-            issuerUrl: this.profile.startUrl,
-        })
+        return this.oidc.registerClient(
+            {
+                // All AWS extensions (Q, Toolkit) for a given IDE use the same client name.
+                clientName: isCloud9() ? `${companyName} Cloud9` : `${companyName} IDE Extensions for VSCode`,
+                clientType: clientRegistrationType,
+                scopes: this.profile.scopes,
+                grantTypes: [authorizationGrantType, refreshGrantType],
+                redirectUris: ['http://127.0.0.1/oauth/callback'],
+                issuerUrl: this.profile.startUrl,
+            },
+            'auth code'
+        )
     }
 
     override async authorize(
@@ -455,7 +463,7 @@ class AuthFlowAuthorization extends SsoAccessTokenProvider {
                     throw authorizationCode.err()
                 }
 
-                const tokenRequest: OidcClientPKCE.CreateTokenRequest = {
+                const tokenRequest: CreateTokenRequest = {
                     clientId: registration.clientId,
                     clientSecret: registration.clientSecret,
                     grantType: authorizationGrantType,

packages/core/src/auth/sso/ssoAccessTokenProvider.ts

@@ -3,7 +3,7 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 import { CodeWhispererStreaming } from '@amzn/codewhisperer-streaming'
-import { ConfiguredRetryStrategy } from '@aws-sdk/util-retry'
+import { ConfiguredRetryStrategy } from '@smithy/util-retry'
 import { getCodewhispererConfig } from '../../codewhisperer/client/codewhisperer'
 import { AuthUtil } from '../../codewhisperer/util/authUtil'
 

packages/core/src/shared/clients/codewhispererChatClient.ts

@@ -6,7 +6,7 @@
 import * as vscode from 'vscode'
 import { AWSError } from 'aws-sdk'
 import { ServiceException } from '@aws-sdk/smithy-client'
-import { isThrottlingError, isTransientError } from '@aws-sdk/service-error-classification'
+import { isThrottlingError, isTransientError } from '@smithy/service-error-classification'
 import { Result } from './telemetry/telemetry'
 import { CancellationError } from './utilities/timeoutUtils'
 import { isNonNullable } from './utilities/tsUtils'

packages/core/src/shared/errors.ts

@@ -728,7 +728,6 @@ const devSettings = {
     codewhispererService: Record(String, String),
     ssoCacheDirectory: String,
     enableIamPolicyChecksFeature: Boolean,
-    pkceAuth: Boolean,
     autofillStartUrl: String,
 }
 type ResolvedDevSettings = FromDescriptor<typeof devSettings>

packages/core/src/shared/settings.ts

@@ -87,7 +87,7 @@ describe('SsoAccessTokenProvider', function () {
         oidcClient = stub(OidcClient)
         tempDir = await makeTemporaryTokenCacheFolder()
         cache = getCache(tempDir)
-        sut = SsoAccessTokenProvider.create({ region, startUrl }, cache, oidcClient)
+        sut = SsoAccessTokenProvider.create({ region, startUrl }, cache, oidcClient, () => true)
     })
 
     afterEach(async function () {