feat: add 'external_idp' as a sso connection type (#679)

## Problem
Flare is very rigid about behavior between 'builderId' and
'identityCenter'

## Solution
Expose 'external_idp' as new case

<!---
    REMINDER:
    - Read CONTRIBUTING.md first.
    - Add test coverage for your changes.
    - Link to related issues/commits.
    - Testing: how did you test your changes?
    - Screenshots if applicable
-->

## License

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.

Author: rli

runtimes/runtimes/auth/auth.test.ts

@@ -361,7 +361,7 @@ describe('Auth', () => {
             assert.deepEqual(credentialsProvider.getConnectionType(), 'builderId')
         })
 
-        it('getConnectionType return identityCenter', async () => {
+        it('getConnectionType return identityCenter for start url', async () => {
             const CONNECTION_METADATA = {
                 sso: {
                     startUrl: 'https://idc.awsapps.com/start',
@@ -381,6 +381,46 @@ describe('Auth', () => {
             assert.deepEqual(credentialsProvider.getConnectionType(), 'identityCenter')
         })
 
+        it('getConnectionType return identityCenter for issuer url', async () => {
+            const CONNECTION_METADATA = {
+                sso: {
+                    startUrl: 'https://idc.awsapps.com/start',
+                },
+            }
+
+            const updateRequest: UpdateCredentialsParams = {
+                data: bearerCredentials,
+                metadata: CONNECTION_METADATA,
+                encrypted: false,
+            }
+            const auth = new Auth(serverConnection, lspRouter)
+            const credentialsProvider: CredentialsProvider = auth.getCredentialsProvider()
+
+            await clientConnection.sendRequest(credentialsProtocolMethodNames.bearerCredentialsUpdate, updateRequest)
+
+            assert.deepEqual(credentialsProvider.getConnectionType(), 'identityCenter')
+        })
+
+        it('getConnectionType return external_idp for non-IdC bearer', async () => {
+            const CONNECTION_METADATA = {
+                sso: {
+                    startUrl: 'https://some.nice.example.com',
+                },
+            }
+
+            const updateRequest: UpdateCredentialsParams = {
+                data: bearerCredentials,
+                metadata: CONNECTION_METADATA,
+                encrypted: false,
+            }
+            const auth = new Auth(serverConnection, lspRouter)
+            const credentialsProvider: CredentialsProvider = auth.getCredentialsProvider()
+
+            await clientConnection.sendRequest(credentialsProtocolMethodNames.bearerCredentialsUpdate, updateRequest)
+
+            assert.deepEqual(credentialsProvider.getConnectionType(), 'external_idp')
+        })
+
         it('getConnectionType return none', async () => {
             const CONNECTION_METADATA = {
                 sso: {},

runtimes/runtimes/auth/auth.ts

@@ -79,7 +79,38 @@ export class Auth {
             },
             getConnectionType: () => {
                 const startUrl = this.connectionMetadata?.sso?.startUrl
-                return !startUrl ? 'none' : startUrl.includes(BUILDER_ID_START_URL) ? 'builderId' : 'identityCenter'
+                if (!startUrl) {
+                    return 'none'
+                }
+
+                if (startUrl.includes(BUILDER_ID_START_URL)) {
+                    return 'builderId'
+                }
+
+                // Issuer format:
+                // Commercial: https://identitycenter.amazonaws.com/ssoins-...
+                // GovCloud: https://identitycenter.us-gov.amazonaws.com/ssoins-...
+                // China: https://identitycenter.amazonaws.com.cn/ssoins-...
+
+                // Start URL format:
+                //  Commercial: https://d-12345abcde.awsapps.com/start
+                //  GovCloud: https://start.us-gov-home.awsapps.com/directory/d-12345abcde
+                //  China: https://start.home.awsapps.cn/directory/d-12345abcde
+                if (!URL.canParse(startUrl)) {
+                    return 'none'
+                }
+                const host = new URL(startUrl).host
+
+                if (
+                    host.endsWith('.amazonaws.com') ||
+                    host.endsWith('.awsapps.com') ||
+                    host.endsWith('.amazonaws.cn') ||
+                    host.endsWith('.awsapps.cn')
+                ) {
+                    return 'identityCenter'
+                }
+
+                return 'external_idp'
             },
             onCredentialsDeleted: (handler: (type: CredentialsType) => void) => {
                 this.credentialsDeleteHandler = handler

runtimes/server-interface/auth.ts

@@ -5,7 +5,7 @@ export { IamCredentials, BearerCredentials, ConnectionMetadata }
 
 export type CredentialsType = 'iam' | 'bearer'
 export type Credentials = IamCredentials | BearerCredentials
-export type SsoConnectionType = 'builderId' | 'identityCenter' | 'none'
+export type SsoConnectionType = 'builderId' | 'identityCenter' | 'external_idp' | 'none'
 
 export interface CredentialsProvider {
     hasCredentials: (type: CredentialsType) => boolean