Skip to content

fix: UTF-8 encoding for MCP config files (#10452) and --redirect-port for sso login (#10433)#10456

Open
Hardikrepo wants to merge 1 commit into
aws:v2from
Hardikrepo:v2
Open

fix: UTF-8 encoding for MCP config files (#10452) and --redirect-port for sso login (#10433)#10456
Hardikrepo wants to merge 1 commit into
aws:v2from
Hardikrepo:v2

Conversation

@Hardikrepo

Copy link
Copy Markdown

Summary

Fix #10452 — MCP config files fail to read/write on non-English Windows (CP932 encoding)

Root cause: DetectedAgent._read_mcp_config() and _write_mcp_config() in
awscli/customizations/agenttoolkit/agents.py called open() without specifying
an encoding. On non-English Windows (e.g. Japanese), Python defaults to the system
locale codec (CP932), which cannot decode UTF-8 multibyte characters such as the
em-dash (U+2014, 0xE2 0x80 0x94 in UTF-8) commonly found in MCP config files
like ~/.claude.json. This caused a UnicodeDecodeError and aborted the
aws configure agent-toolkit flow.

Fix: Explicitly pass encoding='utf-8' to both open() calls so MCP config
files are always read and written as UTF-8 regardless of the system locale.


Fix #10433 — Allow custom localhost port for PKCE redirect URI in aws sso login

Root cause: The PKCE callback server (AuthCodeFetcher) always bound to a
randomly assigned OS port (HTTPServer(('', 0), ...)). Users on remote machines
accessed over SSH cannot pre-configure port forwarding without knowing the port
in advance, forcing them to fall back to the less ergonomic --use-device-code flow.

Fix:

  • Added --redirect-port <int> CLI argument to aws sso login
  • Added sso_redirect_port config key support in ~/.aws/config under [sso-session]
  • AuthCodeFetcher.__init__() now accepts an optional port parameter (default 0 preserves existing random-port behaviour)
  • Port resolution order: --redirect-port arg → sso_redirect_port config key → random port

Example usage:

# Pre-configure SSH tunnel
ssh -L 34535:127.0.0.1:34535 remote-host

# Then on the remote host
aws sso login --redirect-port 34535

Or via ~/.aws/config:

[sso-session my-sso]
sso_start_url = https://example.awsapps.com/start
sso_region = us-east-1
sso_redirect_port = 34535

Files Changed

File Change
awscli/customizations/agenttoolkit/agents.py Add encoding='utf-8' to both open() calls
awscli/customizations/sso/utils.py Add redirect-port to LOGIN_ARGS; add port param to AuthCodeFetcher; add redirect_port param to do_sso_login()
awscli/customizations/sso/login.py Resolve redirect port from arg → config → random and pass to do_sso_login()
tests/unit/customizations/agenttoolkit/test_agents.py 2 regression tests for UTF-8 round-trip with em-dash
tests/unit/customizations/sso/test_utils.py 3 tests: default random port, fixed port, port forwarded through do_sso_login()

Test plan

  • aws configure agent-toolkit completes without error on Japanese Windows when ~/.claude.json contains an em-dash
  • aws sso login --redirect-port 34535 binds callback server to port 34535
  • aws sso login without --redirect-port continues to use a random port (no regression)
  • sso_redirect_port = 34535 in ~/.aws/config is honoured when --redirect-port is not specified
  • All existing unit tests pass

…redirect-port to sso login for SSH tunnel support (aws#10433)

- agents.py: open MCP config files with encoding='utf-8' in both
  _read_mcp_config and _write_mcp_config to prevent UnicodeDecodeError
  on non-English Windows environments (e.g. Japanese CP932) when the
  config contains UTF-8 multibyte characters such as em-dash (U+2014)
- utils.py: add redirect-port to LOGIN_ARGS; add port param to
  AuthCodeFetcher.__init__() and redirect_port param to do_sso_login()
- login.py: resolve redirect_port from --redirect-port arg first, then
  fall back to sso_redirect_port config key, then random port
- tests: regression tests for both fixes
@Hardikrepo Hardikrepo requested a review from a team as a code owner June 29, 2026 18:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant