Merge pull request #4664 from aws/jpinkney-aws/new-auth

auth: Implement authorization grant with pkce

Author: jpinkney-aws

.eslintignore

@@ -11,9 +11,11 @@ src/shared/telemetry/clienttelemetry.d.ts
 src/codewhisperer/client/codewhispererclient.d.ts
 src/codewhisperer/client/codewhispereruserclient.d.ts
 src/amazonqFeatureDev/client/featuredevproxyclient.d.ts
+src/auth/sso/oidcclientpkce.d.ts
 src/testFixtures/**
 packages/core/src/shared/telemetry/clienttelemetry.d.ts
 packages/core/src/codewhisperer/client/codewhispererclient.d.ts
 packages/core/src/codewhisperer/client/codewhispereruserclient.d.ts
 packages/core/src/amazonqFeatureDev/client/featuredevproxyclient.d.ts
+packages/core/src/auth/sso/oidcclientpkce.d.ts
 packages/core/src/testFixtures/**

.gitignore

@@ -31,6 +31,7 @@ packages/core/src/shared/telemetry/clienttelemetry.d.ts
 packages/core/src/codewhisperer/client/codewhispererclient.d.ts
 packages/core/src/codewhisperer/client/codewhispereruserclient.d.ts
 packages/core/src/amazonqFeatureDev/client/featuredevproxyclient.d.ts
+packages/core/src/auth/sso/oidcclientpkce.d.ts
 
 # Generated by tests
 packages/core/src/testFixtures/**/bin

packages/amazonq/src/extensionShared.ts

@@ -55,7 +55,7 @@ export async function activateShared(context: vscode.ExtensionContext) {
 
     await activateTelemetry(context, globals.awsContext, Settings.instance)
 
-    await initializeAuth(context, globals.awsContext, globals.loginManager, contextPrefix)
+    await initializeAuth(context, globals.loginManager, contextPrefix, undefined)
 
     await activateCodeWhisperer(extContext as ExtContext)
     await activateCWChat(context)

packages/core/scripts/build/generateServiceClient.ts

@@ -245,6 +245,10 @@ void (async () => {
             serviceJsonPath: 'src/amazonqFeatureDev/client/codewhispererruntime-2022-11-11.json',
             serviceName: 'FeatureDevProxyClient',
         },
+        {
+            serviceJsonPath: 'src/auth/sso/service-2.json',
+            serviceName: 'OidcClientPKCE',
+        },
     ]
     await generateServiceClients(serviceClientDefinitions)
 })()

packages/core/src/auth/activation.ts

@@ -4,7 +4,6 @@
  */
 
 import * as vscode from 'vscode'
-import { AwsContext } from '../shared/awsContext'
 import { Auth } from './auth'
 import { LoginManager } from './deprecated/loginManager'
 import { fromString } from './providers/credentials'
@@ -14,12 +13,14 @@ import { isCloud9 } from '../shared/extensionUtilities'
 import { isInDevEnv } from '../shared/vscode/env'
 import { registerCommands, getShowManageConnections } from './ui/vue/show'
 import { isWeb } from '../common/webUtils'
+import { UriHandler } from '../shared/vscode/uriHandler'
+import { authenticationPath } from './sso/ssoAccessTokenProvider'
 
 export async function initialize(
     extensionContext: vscode.ExtensionContext,
-    awsContext: AwsContext,
     loginManager: LoginManager,
-    contextPrefix: string
+    contextPrefix: string,
+    uriHandler?: UriHandler
 ): Promise<void> {
     Auth.instance.onDidChangeActiveConnection(async conn => {
         // This logic needs to be moved to `Auth.useConnection` to correctly record `passive`
@@ -36,6 +37,11 @@ export async function initialize(
     extensionContext.subscriptions.push(getShowManageConnections())
 
     await showManageConnectionsOnStartup()
+
+    uriHandler?.onPath(`/${authenticationPath}`, () => {
+        // TODO emit telemetry
+        getLogger().info('authenticated')
+    })
 }
 
 /**

packages/core/src/auth/auth.ts

@@ -16,7 +16,7 @@ import { SsoAccessTokenProvider } from './sso/ssoAccessTokenProvider'
 import { Timeout } from '../shared/utilities/timeoutUtils'
 import { errorCode, isAwsError, isNetworkError, ToolkitError, UnknownError } from '../shared/errors'
 import { getCache } from './sso/cache'
-import { createFactoryFunction, isNonNullable, Mutable } from '../shared/utilities/tsUtils'
+import { isNonNullable, Mutable } from '../shared/utilities/tsUtils'
 import { builderIdStartUrl, SsoToken, truncateStartUrl } from './sso/model'
 import { SsoClient } from './sso/clients'
 import { getLogger } from '../shared/logger'
@@ -141,7 +141,7 @@ export class Auth implements AuthService, ConnectionManager {
         private readonly store: ProfileStore,
         private readonly iamProfileProvider = CredentialsProviderManager.getInstance(),
         private readonly createSsoClient = SsoClient.create.bind(SsoClient),
-        private readonly createSsoTokenProvider = createFactoryFunction(SsoAccessTokenProvider)
+        private readonly createSsoTokenProvider = SsoAccessTokenProvider.create.bind(SsoAccessTokenProvider)
     ) {}
 
     #activeConnection: Mutable<StatefulConnection> | undefined

packages/core/src/auth/providers/sharedCredentialsProvider.ts

@@ -104,7 +104,7 @@ export class SharedCredentialsProvider implements CredentialsProvider {
 
     public async canAutoConnect(): Promise<boolean> {
         if (isSsoProfile(this.profile)) {
-            const tokenProvider = new SsoAccessTokenProvider({
+            const tokenProvider = SsoAccessTokenProvider.create({
                 region: this.profile[SharedCredentialsKeys.SSO_REGION]!,
                 startUrl: this.profile[SharedCredentialsKeys.SSO_START_URL]!,
             })
@@ -353,7 +353,7 @@ export class SharedCredentialsProvider implements CredentialsProvider {
         }
 
         const region = ssoProfile.ssoRegion
-        const tokenProvider = new SsoAccessTokenProvider({ ...ssoProfile, region })
+        const tokenProvider = SsoAccessTokenProvider.create({ ...ssoProfile, region })
         const client = SsoClient.create(region, tokenProvider)
 
         return async () => {

packages/core/src/auth/sso/clients.ts

@@ -33,6 +33,12 @@ import { DevSettings } from '../../shared/settings'
 import { SdkError } from '@aws-sdk/types'
 import { HttpRequest, HttpResponse } from '@aws-sdk/protocol-http'
 import { StandardRetryStrategy, defaultRetryDecider } from '@aws-sdk/middleware-retry'
+import OidcClientPKCE from './oidcclientpkce'
+import { toSnakeCase } from '../../shared/utilities/textUtilities'
+import { Credentials, Service } from 'aws-sdk'
+import apiConfig = require('./service-2.json')
+import { ServiceOptions } from '../../shared/awsClientBuilder'
+import { ClientRegistration } from './model'
 
 export class OidcClient {
     public constructor(private readonly client: SSOOIDC, private readonly clock: { Date: typeof Date }) {}
@@ -94,6 +100,79 @@ export class OidcClient {
     }
 }
 
+export class OidcClientV2 {
+    public constructor(private readonly region: string, private readonly clock: { Date: typeof Date }) {}
+
+    /**
+     * TODO remove this when the real client gets created.
+     *
+     * Creating a new client is required because the old sdk seems to drop unknown parameters from requests
+     */
+    private async createNewClient() {
+        return (await globals.sdkClientBuilder.createAwsService(
+            Service,
+            {
+                apiConfig,
+                region: this.region,
+                credentials: new Credentials({ accessKeyId: 'xxx', secretAccessKey: 'xxx' }),
+            } as ServiceOptions,
+            undefined
+        )) as OidcClientPKCE
+    }
+
+    public async registerClient(request: OidcClientPKCE.RegisterClientRequest): Promise<ClientRegistration> {
+        const client = await this.createNewClient()
+        const response = await client.makeUnauthenticatedRequest('registerClient', request).promise()
+        assertHasProps(response, 'clientId', 'clientSecret', 'clientSecretExpiresAt')
+
+        return {
+            scopes: request.scopes,
+            clientId: response.clientId,
+            clientSecret: response.clientSecret,
+            expiresAt: new this.clock.Date(response.clientSecretExpiresAt * 1000),
+            flow: 'auth code',
+        }
+    }
+
+    public async authorize(request: OidcClientPKCE.AuthorizeRequest) {
+        // aws sdk doesn't convert to url params until right before you make the request, so we have to do
+        // it manually ahead of time
+        const params = toSnakeCase(request)
+        const searchParams = new URLSearchParams(params).toString()
+        return `https://oidc.${this.region}.amazonaws.com/authorize?${searchParams}`
+    }
+
+    public async startDeviceAuthorization(request: StartDeviceAuthorizationRequest): Promise<{
+        expiresAt: Date
+        interval: number | undefined
+        deviceCode: string
+        userCode: string
+        verificationUri: string
+    }> {
+        throw new Error('OidcClientV2 does not support device authorization')
+    }
+
+    public async createToken(request: OidcClientPKCE.CreateTokenRequest): Promise<{
+        accessToken: string
+        expiresAt: Date
+        tokenType?: string | undefined
+        refreshToken?: string | undefined
+    }> {
+        const client = await this.createNewClient()
+        const response = await client.makeUnauthenticatedRequest('createToken', request).promise()
+        assertHasProps(response, 'accessToken', 'expiresIn')
+
+        return {
+            ...selectFrom(response, 'accessToken', 'refreshToken', 'tokenType'),
+            expiresAt: new this.clock.Date(response.expiresIn * 1000 + this.clock.Date.now()),
+        }
+    }
+
+    public static create(region: string) {
+        return new this(region, globals.clock)
+    }
+}
+
 type OmittedProps = 'accessToken' | 'nextToken'
 type ExtractOverload<T, U> = T extends {
     (...args: infer P1): infer R1

packages/core/src/auth/sso/model.ts

@@ -45,6 +45,8 @@ export interface SsoToken {
     readonly refreshToken?: string
 }
 
+export type AuthenticationFlow = 'auth code'
+
 export interface ClientRegistration {
     /**
      * Unique registration id.
@@ -65,6 +67,11 @@ export interface ClientRegistration {
      * Scope of the client registration. Applies to all tokens created using this registration.
      */
     readonly scopes?: string[]
+
+    /**
+     * The sso flow used to create this registration.
+     */
+    readonly flow?: AuthenticationFlow
 }
 
 export interface SsoProfile {
@@ -102,20 +109,6 @@ export async function openSsoPortalLink(startUrl: string, authorization: Authori
         return vscode.Uri.parse(`${authorization.verificationUri}?user_code=${authorization.userCode}`)
     }
 
-    async function openSsoUrl() {
-        const ssoLoginUrl = makeConfirmCodeUrl(authorization)
-        const didOpenUrl = await vscode.env.openExternal(ssoLoginUrl)
-
-        if (!didOpenUrl) {
-            throw new ToolkitError(`User clicked 'Copy' or 'Cancel' during the Trusted Domain popup`, {
-                code: trustedDomainCancellation,
-                name: trustedDomainCancellation,
-                cancelled: true,
-            })
-        }
-        return didOpenUrl
-    }
-
     async function showLoginNotification() {
         const name = startUrl === builderIdStartUrl ? localizedText.builderId() : localizedText.iamIdentityCenterFull()
         // C9 doesn't support `detail` field with modals so we need to put it all in the `title`
@@ -134,7 +127,7 @@ export async function openSsoPortalLink(startUrl: string, authorization: Authori
             const resp = await vscode.window.showInformationMessage(title, { modal: true, detail }, proceedToBrowser)
             switch (resp) {
                 case proceedToBrowser:
-                    return openSsoUrl()
+                    return openSsoUrl(makeConfirmCodeUrl(authorization))
                 case localizedText.help:
                     await tryOpenHelpUrl(ssoAuthHelpUrl)
                     continue
@@ -147,8 +140,25 @@ export async function openSsoPortalLink(startUrl: string, authorization: Authori
     return showLoginNotification()
 }
 
+export async function openSsoUrl(location: vscode.Uri) {
+    const didOpenUrl = await vscode.env.openExternal(location)
+
+    if (!didOpenUrl) {
+        throw new ToolkitError(`User clicked 'Copy' or 'Cancel' during the Trusted Domain popup`, {
+            code: trustedDomainCancellation,
+            name: trustedDomainCancellation,
+            cancelled: true,
+        })
+    }
+    return didOpenUrl
+}
+
 // Most SSO 'expirables' are fairly long lived, so a one minute buffer is plenty.
 const expirationBufferMs = 60000
 export function isExpired(expirable: { expiresAt: Date }): boolean {
     return globals.clock.Date.now() + expirationBufferMs >= expirable.expiresAt.getTime()
 }
+
+export function isDeprecatedAuth(registration: ClientRegistration): boolean {
+    return registration.flow === undefined || registration.flow !== 'auth code'
+}