Skip to content

feat: add OAuth Authorization Code + PKCE flow for SSO login#923

Open
dgilmanuni wants to merge 1 commit intofwdcloudsec:mainfrom
dgilmanuni:feat/authorization-code-pkce
Open

feat: add OAuth Authorization Code + PKCE flow for SSO login#923
dgilmanuni wants to merge 1 commit intofwdcloudsec:mainfrom
dgilmanuni:feat/authorization-code-pkce

Conversation

@dgilmanuni
Copy link

@dgilmanuni dgilmanuni commented Feb 24, 2026

Summary

Implements the OAuth Authorization Code Grant with PKCE flow for SSO login, matching the AWS CLI's Nov 2024 update. This replaces device code as the default login flow, providing a smoother UX by eliminating manual code entry — the browser redirects back automatically via a temporary localhost callback server.

  • Authorization code + PKCE is now the default for granted sso login and assume (when sso_session is configured)
  • Device code flow is preserved as fallback via --use-device-code flag or automatic headless detection (SSH, Docker, CI)
  • Browser-opening logic extracted into shared module used by both flows
  • Upgraded ssooidc SDK to v1.35.15 for authorization_code grant type support
  • Security hardened callback server: CSP headers, XSS prevention via html/template, CSRF state validation, sync.Once for idempotent callback, localhost-only binding

How it works

  1. Binds a temporary HTTP server on 127.0.0.1 with an ephemeral port
  2. Registers a public OIDC client with AWS for authorization_code grant
  3. Generates PKCE code verifier (32 bytes, crypto/rand) and S256 challenge per RFC 7636
  4. Opens browser to AWS authorize endpoint with state (CSRF) + PKCE challenge
  5. Receives authorization code via localhost redirect callback
  6. Exchanges code + verifier for tokens via CreateToken

Test plan

  • Unit tests for PKCE generation validated against RFC 7636 Appendix B test vectors
  • Callback handler tests: success, state mismatch, OAuth errors, missing code, XSS prevention, duplicate requests, method enforcement
  • Headless environment detection smoke test
  • Tested live against AWS IAM Identity Center SSO (us-east-2)
  • go build ./... and go test ./... pass

Closes #779

🤖 Generated with Claude Code

@dgilmanuni @claude
feat: add OAuth Authorization Code + PKCE flow for SSO login
73a32ef 
Replace the device code flow as the default SSO login method with the
Authorization Code Grant + PKCE flow, matching the AWS CLI's Nov 2024
update. This provides a smoother UX by skipping manual code entry —
the browser redirects back automatically via a temporary localhost
callback server.

The device code flow is preserved as a fallback via --use-device-code
flag or automatic headless environment detection (SSH, Docker, CI).

Key changes:
- New LoginWithAuthorizationCode function implementing RFC 7636 PKCE
- Extracted browser-opening logic into reusable browser.go module
- Headless environment detection for automatic flow selection
- Upgraded ssooidc SDK to v1.35.15 for authorization_code grant support
- Security headers (CSP, X-Content-Type-Options, X-Frame-Options) on
  callback pages
- Comprehensive tests including RFC 7636 test vectors and XSS prevention

Closes fwdcloudsec#779

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@dgilmanuni
Copy link
Author

dgilmanuni commented Feb 24, 2026

My main concern here is changing the default behavior - I can see an argument for making this an optional flag to start.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add support for 'Authorization Code Grant with PKCE'

1 participant

@dgilmanuni