SSOAWSCredentials does not work behind an authenticated proxy

[Evolva]

Describe the bug

Unable to call any AWS services using SSOAWSCredentials behind an authenticated proxy

Regression Issue

• Select this option if this issue appears to be a regression.

Expected Behavior

Code in Reproduction Steps should be able to call S3

Current Behavior

Code in Reproduction Steps throw a System.Net.Http.HttpRequestException : The proxy tunnel request to proxy 'http://your-authenticated-proxy//' failed with status code '407'."

Reproduction Steps

⚠️ Delete existing sso cache files in folder %USERPROFILE%\.aws\sso\cache if any ⚠️

var proxy = new WebProxy
{
    Address = new Uri("http://your-authenticated-proxy/"),
    UseDefaultCredentials = true
};

AWSConfigs.LoggingConfig.LogTo = LoggingOptions.Console;

var s3Client = new AmazonS3Client(
    new SSOAWSCredentials(
        accountId: "your-account-id",
        region: "eu-west-1",
        roleName: "your-role-name",
        startUrl: "your-start-url",
        options: new SSOAWSCredentialsOptions
        {
            ClientName = "test-sso-aws-creds",
            ProxySettings = proxy,
            SupportsGettingNewToken = true,
            SsoVerificationCallback = arg =>
            {
                Process.Start(new ProcessStartInfo(arg.VerificationUriComplete)
                {
                    UseShellExecute = true
                });
            },
        }
    ),
    new AmazonS3Config
    {
        RegionEndpoint = RegionEndpoint.EUWest1,
        ProxyHost = proxy.Address.Host,
        ProxyPort = proxy.Address.Port,
        ProxyCredentials = proxy.Credentials
    });

    var result = await s3Client.ListBucketsAsync();

Possible Solution

Using the GlobalRuntimeDependencyRegistry (as below) is a workaround for the issue

GlobalRuntimeDependencyRegistry.Instance.RegisterSSOOIDCClient(
    new AmazonSSOOIDCClient(
        new AmazonSSOOIDCConfig
        {
            RegionEndpoint = RegionEndpoint.EUWest1,
            ProxyHost = proxy.Address.Host,
            ProxyPort = proxy.Address.Port,
            ProxyCredentials = proxy.Credentials
        }));

The root cause seems to be because

aws-sdk-net/sdk/src/Core/Amazon.Runtime/Credentials/Internal/_bcl+netstandard/SSOTokenManager.cs

Lines 71 to 81 in a848fe4

	protected virtual ICoreAmazonSSOOIDC_V2 CreateSSOOIDC_V2Client(string region,
	#if BCL
	WebProxy proxySettings = null
	#elif NETSTANDARD
	IWebProxy proxySettings = null
	#endif
	)
	{
	return SSOServiceClientHelpers.BuildSSOIDC_V2Client(RegionEndpoint.GetBySystemName(region), proxySettings);
	}

is never called with a proxySettings

aws-sdk-net/sdk/src/Core/Amazon.Runtime/Credentials/Internal/_bcl+netstandard/SSOTokenManager.cs

Line 633 in a848fe4

var ssooidc_V2Client = CreateSSOOIDC_V2Client(options.Region);

Additional Information/Context

No response

AWS .NET SDK and/or Package version used

AWSSDK.SSO 4.0.1.6
AWSSDK.SSOOIDC 4.0.2.3

Targeted .NET Platform

.NET 8

Operating System and version

Windows 11

[Evolva]

I can come up with a PR if you have any preference on how to solve this

[eddiemcs3]

Thank you, @Evolva. We are looking at the issue and will be releasing a fix, but if you have a PR ready that you would like to submit, please do so.

[github-actions]

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.