Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update vendored botocore, support refreshtoken #99

Open
meeuw opened this issue Jul 2, 2023 · 3 comments
Open

Update vendored botocore, support refreshtoken #99

meeuw opened this issue Jul 2, 2023 · 3 comments

Comments

@meeuw
Copy link

meeuw commented Jul 2, 2023
edited
Loading

Whilst comparing the vendored botocore in aws-sso-util and the current botocore I notice a few differences.

botocore uses a grant type refresh_token for getting the token

botocore renamed SSOTokenFetcher to SSOTokenProvider

botocore is able to refresh the token

At:

https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/API_CreateToken.html#singlesignon-CreateToken-request-refreshToken

There is a note to:

https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/Welcome.html

With older versions of the CLI, the service only emits OIDC access tokens, so to obtain a new token, users must explicitly re-authenticate. To access the OIDC flow that supports token refresh and doesn’t require re-authentication, update to the latest CLI version (1.27.10 for CLI V1 and 2.9.0 for CLI V2) with support for OIDC token refresh and configurable IAM Identity Center session durations. For more information, see Configure AWS access portal session duration .

How about updating the vendored botocore with support for refresh tokens? Might be related to #84 and #83

As I'm testing, the client can be initialized using scope sso:account:access, this seems to enable the refresh_token
@benkehoe
Copy link
Owner

benkehoe commented Jul 3, 2023

The vendored_botocore module is just for the parts of botocore v2 that are squirreled away in the AWS CLI and not available via PyPI in botocore v1. In particular, the part supporting login. You're correct that aws-sso-util login and aws_sso_lib.login() currently don't work with new-style config, because I haven't updated it yet. But everything else uses vanilla boto3/botocore, and should handle new-style config just fine.

It's been on my list for a while to update, but I had planned to combine it with having aws-sso-util configure populate support new-style config as well, which is a more complicated UI change, and I should probably just do them separately.

@jorhett
Copy link

jorhett commented Nov 8, 2023

@benkehoe any update on this? I ran into this problem recently, and it took me hours to figure out what was missing.

@benkehoe
Copy link
Owner

I'm nearing the end of my time off, and I plan on fully re-engaging with all of my projects, but realistically it means nothing is going to be addressed until early next year.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@meeuw @jorhett @benkehoe