AWS IAM Identity Center Support

[dkocher]

Resolves #13377.

• Support for Loopback IP address as OAuth Redirect URI. Resolves Support iOS URL scheme as redirect URI for OAuth with Google #17596. Allows to register http://localhost/ for CLI connection profiles without requiring users to enter the authorization code manually resolving CLI OAuth workflow never finishes with custom URI in redirect_url #13587.

[Copilot]

Pull request overview

Adds AWS IAM Identity Center (AWS SSO) support to the S3 integration by introducing an OIDC-based OAuth flow (with loopback redirect handling) and adapting the existing OAuth2 interceptor/service APIs to support the new workflow.

Changes:

• Introduces AWS IAM Identity Center credential acquisition for S3 using AWS SDK ssooidc + sso, including dynamic client registration and role credential retrieval.
• Adds a loopback HTTP callback provider for OAuth authorization codes and updates token listener notification semantics.
• Refactors OAuth2 fluent configuration APIs (with* → set*) and updates call sites across multiple protocols/sessions.

Reviewed changes

Copilot reviewed 30 out of 30 changed files in this pull request and generated 14 comments.

Show a summary per file

File	Description
webdav/src/main/java/ch/cyberduck/core/dav/DAVSession.java	Updates OAuth2 interceptor configuration method names (setRedirectUri, setFlowType).
storegate/src/main/java/ch/cyberduck/core/storegate/StoregateSession.java	Updates OAuth2 interceptor configuration method names (setRedirectUri, setParameter).
s3/src/test/resources/valid/.aws/credentials	Extends AWS CLI test fixture with SSO profile/session sections.
s3/src/test/resources/valid/.aws/cli/cache/f9eb64cf0dc746e9fe1398f73dcae2d212b24f5a.json	Removes cached SSO credential fixture (no longer used).
s3/src/test/java/ch/cyberduck/core/s3/S3CredentialsConfiguratorTest.java	Updates tests to validate reading SSO-related properties instead of cached SSO tokens.
s3/src/main/java/ch/cyberduck/core/sts/STSAssumeRoleWithWebIdentityCredentialsStrategy.java	Persists validated OAuth tokens before calling STS assume-role-with-web-identity.
s3/src/main/java/ch/cyberduck/core/sso/RegisterClientOAuth2RequestInterceptor.java	New interceptor that registers an IAM Identity Center OIDC client and performs OAuth for SSO.
s3/src/main/java/ch/cyberduck/core/sso/IdentityCenterCredentialsStrategy.java	New S3 credential strategy that exchanges SSO access token for role credentials.
s3/src/main/java/ch/cyberduck/core/sso/IdentityCenterAuthorizationService.java	New service wrapper to call GetRoleCredentials via AWS SSO API.
s3/src/main/java/ch/cyberduck/core/s3/S3Session.java	Chooses Identity Center strategy when protocol scopes include sso:account:access; updates OAuth interceptor setters.
s3/src/main/java/ch/cyberduck/core/s3/S3Protocol.java	Removes S3-specific token validation override.
s3/src/main/java/ch/cyberduck/core/s3/S3IAMProtocol.java	Adds a new S3 protocol identifier (s3-iam).
s3/src/main/java/ch/cyberduck/core/s3/S3CredentialsConfigurator.java	Changes AWS profile handling: keeps SSO properties instead of reading cached SSO tokens.
s3/pom.xml	Adds AWS SDK dependencies for aws-java-sdk-ssooidc and aws-java-sdk-sso.
onedrive/src/main/java/ch/cyberduck/core/onedrive/GraphSession.java	Updates OAuth2 interceptor configuration method names.
oauth/src/main/java/ch/cyberduck/core/oauth/OAuth2TokenListenerRegistry.java	Changes notify semantics to return boolean success/failure.
oauth/src/main/java/ch/cyberduck/core/oauth/OAuth2RequestInterceptor.java	Refactors to read tokens from Host each request; introduces overridable addAuthorizationHeader; renames fluent setters.
oauth/src/main/java/ch/cyberduck/core/oauth/OAuth2AuthorizationService.java	Refactors OAuth2 service to use setters/getters and exposes exchangeToken + prompt helper.
oauth/src/main/java/ch/cyberduck/core/oauth/LoopbackOAuth2AuthorizationCodeProvider.java	New loopback HTTP server provider for capturing OAuth authorization codes.
oauth/src/main/java/ch/cyberduck/core/oauth/BrowserOAuth2AuthorizationCodeProvider.java	Routes redirect URIs targeting loopback IP to the loopback provider.
hubic/src/main/java/ch/cyberduck/core/hubic/HubicSession.java	Updates OAuth2 interceptor configuration method names.
googlestorage/src/main/java/ch/cyberduck/core/googlestorage/GoogleStorageSession.java	Updates OAuth2 interceptor configuration method names.
googledrive/src/main/java/ch/cyberduck/core/googledrive/DriveSession.java	Updates OAuth2 interceptor configuration method names.
eue/src/main/java/ch/cyberduck/core/eue/EueSession.java	Updates OAuth2 interceptor configuration method names.
dropbox/src/main/java/ch/cyberduck/core/dropbox/DropboxSession.java	Updates OAuth2 interceptor configuration method names.
dracoon/src/main/java/ch/cyberduck/core/sds/SDSSession.java	Updates OAuth2 interceptor configuration method names and parameter setter usage.
deepbox/src/main/java/ch/cyberduck/core/deepbox/DeepboxSession.java	Updates OAuth2 interceptor configuration method names.
core/src/main/java/ch/cyberduck/core/Profile.java	Adds SSO-related profile property keys (sso_*).
box/src/main/java/ch/cyberduck/core/box/BoxSession.java	Updates OAuth2 interceptor configuration method names.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.