Support OIDC refresh tokens #1232
Description
Is your feature request related to a problem? Please describe.
I've been using the plain aws sso login for a little while. I only had one AWS account, so I wasn't bothered by it's limitations and I had configured my identity center instance to have a duration of multiple days instead of the default 8 hours. (docs)
Now I have multiple AWS accounts, which lead me to this tool. It solves my problems with things like aws-sso setup profiles but now my SSO session duration is fixed to 8 hours. Instead of logging into AWS once per week, I'm now having to log in once or twice a day.
Describe the solution you'd like
I'd like aws-sso login to respect the session duration setting in IAM identity center.
Additional context
I've used the plain aws sso login in the long-ago past, so I remember being stuck to the eight hour duration. I was pleasantly surprised when, a few months ago, I tried it again and noticed the flow was smoother by no longer asking me to validate a device code every time and supported longer durations. So now, using aws-sso I notice that the flow is similar to how the aws-cli package used to be behave.
So now I wondered: "Is the aws-cli using a newer api?" I compared aws sso login --debug logs with the source code in this project and it looks like you're calling the same API actions, but I did notice that the aws-cli has refresh tokens in it's responses. So obviously something is different, because aws-sso doesn't save any refresh tokens into it's store in the keychain. Digging deeper into some docs, I found this little note in the API docs:
With older versions of the AWS CLI, the service only emits OIDC access tokens, so to obtain a new token, users must explicitly re-authenticate. To access the OIDC flow that supports token refresh and doesn’t require re-authentication, update to the latest AWS CLI version (1.27.10 for AWS CLI V1 and 2.9.0 for AWS CLI V2) with support for OIDC token refresh and configurable IAM Identity Center session durations.
I like seeing version numbers, so I went there to see if something stood out. There's a commit in v2.9, but it doesn't actually change the login call, it focuses on updating the aws configure sso command.
I started to give up here, but curiosity got the better of me. I ended up reading through more python code than my sanity asked for and came across a reference to a legacy format (1) positioned nicely next to a non-legacy reference (2). The legacy format appears to not have a name, but more importantly it is also lacking the "registration_scopes" property.
Looking in the source, I see that Scopes is set to nil when calling register client:
aws-sso-cli/internal/sso/awssso_auth.go
Line 167 in 5c1f920
Looking at what I had in my ~/.aws/config file, I see that I've got this line: sso_registration_scopes = sso:account:access. Rerunning aws configure sso, it looks like this is the default value it recommends.
But before I left this ticket here, I did a bit of googling to see if I could figure out what that property was for or if it could do anything. The RegisterClient api docs were painfully unhelpful, but sso_registration_scopes led me to a generic SDK tools page that dropped this golden nugget:
A minimum scope of
sso:account:accessmust be granted to get a refresh token back from the IAM Identity Center service.
So yeah, now I'm fairly confident that setting this property will make refresh tokens start coming back.