feat: Bearer token auth #1637
feat: Bearer token auth #1637
Conversation
…zation & Add SSO bearer token identity resolver + Default chain resolver for bearer token identity.
…n AWS, with DefaultBearerTokenIdentityResolverChain.
…entityResolver field.
| @@ -0,0 +1,35 @@ | |||
| // | |||
There was a problem hiding this comment.
This is much like the default AWS credential identity resolver chain. Unlike it tho, this only has one resolver atm.
| @@ -0,0 +1,94 @@ | |||
| // | |||
There was a problem hiding this comment.
This token identity resolver fetches the access token from cached SSO token file.
| @@ -18,8 +18,11 @@ import software.amazon.smithy.swift.codegen.SwiftWriter | |||
| import software.amazon.smithy.swift.codegen.integration.ProtocolGenerator | |||
There was a problem hiding this comment.
Refactored to remove logic for getting auth schemes supported by the model and move it into smithy-swift. Refer to comment: https://github.com/smithy-lang/smithy-swift/pull/786/files#r1681867714
| override fun addAdditionalSchemes(writer: SwiftWriter, authSchemeList: Array<String>): Array<String> { | ||
| val effectiveAuthSchemes = ServiceIndex(ctx.model).getEffectiveAuthSchemes(ctx.service) | ||
|
|
||
| val sdkId = AuthSchemeResolverGenerator.getSdkId(ctx) | ||
| val servicesUsingSigV4A = arrayOf("S3", "EventBridge", "CloudFrontKeyValueStore") | ||
| val sdkId = AuthSchemeResolverGenerator.getSdkId(ctx) | ||
| val servicesUsingSigV4A = arrayOf("S3", "EventBridge", "CloudFrontKeyValueStore") | ||
| var updatedAuthSchemeList = authSchemeList | ||
|
|
||
| if (effectiveAuthSchemes.contains(SigV4Trait.ID)) { | ||
| authSchemeList += writer.format("\$N()", AWSSDKHTTPAuthTypes.SigV4AuthScheme) | ||
| } | ||
| if (effectiveAuthSchemes.contains(SigV4ATrait.ID) || servicesUsingSigV4A.contains(sdkId)) { | ||
| authSchemeList += writer.format("\$N()", AWSSDKHTTPAuthTypes.SigV4AAuthScheme) | ||
| } | ||
| return "[${authSchemeList.joinToString(", ")}]" | ||
| if (effectiveAuthSchemes.contains(SigV4Trait.ID)) { | ||
| updatedAuthSchemeList += writer.format("\$N()", AWSSDKHTTPAuthTypes.SigV4AuthScheme) | ||
| } | ||
| if (effectiveAuthSchemes.contains(SigV4ATrait.ID) || servicesUsingSigV4A.contains(sdkId)) { | ||
| updatedAuthSchemeList += writer.format("\$N()", AWSSDKHTTPAuthTypes.SigV4AAuthScheme) | ||
| } | ||
|
|
||
| return updatedAuthSchemeList |
There was a problem hiding this comment.
Handles detecting and adding the SigV4 / SigV4A auth schemes to list of auth schemes supported by the service.
| "bearerTokenIdentityResolver" -> { | ||
| ConfigProperty( | ||
| "bearerTokenIdentityResolver", | ||
| SmithyIdentityTypes.BearerTokenIdentityResolver.toGeneric(), | ||
| { it.format("\$N()", AWSSDKIdentityTypes.DefaultBearerTokenIdentityResolverChain) }, | ||
| true | ||
| ) |
There was a problem hiding this comment.
The default value for bearerTokenIdentityResolver field of the client config was StaticBearerTokenIdentityResolver in smithy-swift, but over here in aws-sdk-swift, it has to be the default chain instead. Hence this override.
| private val authSchemesDefaultProvider = DefaultProvider( | ||
| { getModeledAuthSchemesSupportedBySDK(ctx, it) }, | ||
| isThrowable = false, | ||
| isAsync = false | ||
| ) | ||
|
|
There was a problem hiding this comment.
Moved to AuthUtils in smithy-swift.
| @@ -28,16 +28,20 @@ class AuthSchemePlugin(private val serviceConfig: ServiceConfig) : Plugin { | |||
| writer.write("private var authSchemes: \$N", SmithyHTTPAuthAPITypes.AuthSchemes.toOptional()) | |||
There was a problem hiding this comment.
Changes in this file are just adding bearerTokenIdentityResolver field as one of the new fields configurable by the auth scheme plugin.
| @@ -1,7 +1,8 @@ | |||
| package software.amazon.smithy.aws.swift.codegen.plugins | |||
|
|
|||
There was a problem hiding this comment.
Changes in this file are just adding bearerTokenIdentityResolver field as one of the new fields configurable by the auth scheme plugin.
| @@ -18,6 +18,7 @@ object AWSSDKIdentityTypes { | |||
| val AWSEndpointsRequestContext = runtimeSymbol("AWSEndpointsRequestContext") | |||
There was a problem hiding this comment.
The new runtime type, but in codegen side.
Companion PR: smithy-lang/smithy-swift#786
Issue #
#1083
Description of changes
Refer to comments on github diff
Manual testing steps
To test this locally, first set up your IAM Identity Center (doc link) & AWS CodeCatalyst (doc link).
Then, configure your config file to contain the following:
Then, run
on the terminal. This will open a browser tab for you to authorize your AWS account to be accessed by CodeCatalyst.
Successful previous step creates a token file at path
~/.aws/sso/cache/<sha-1-hash-of-sso-sesion-name>.json.In CLITool, use
CodeCatalyst::VerifySessionAPI by simply doing the following:Observe that the server accepts bearer auth and returns the ID successfully.
New/existing dependencies impact assessment, if applicable
Conventional Commits
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.