auth: OIDC login UX (include code in login URL)

[rbtcollins]

Following on from #3229 (comment)

The extension used to have this behavior but this was removed in #3148 due to phishing/security concerns.

I don't think the current behaviour addresses the phising concern: The phising concern referenced is that a code flow can be initiated on a device the attacker controls, e.g. by presenting a URL to the user in email, and then the mitigations talk about what the SSO portal should do to ensure that the user is actually in possession of the 'device' in question.

For this vscode extension, the device is VScode itself. But since VSCode can show URLs, a malicious extension can almost certainly trigger a URL to be presented that requests device code authorisation from the user. In this scenario the AWS extension isn't even involved (except perhaps by being present it increases the false confidence the user might have in the code request).

The recommended mitigations are to get the user to check that they can see the code they are requesting on the device they think they are approving.

Something like:

• show the code in the AWS extension UI rather than just the in the debug output
• on the portal rather than asking 'authorise <client> to access <scopes>' the confirmation prompt should be "authorise <client> which is showing code <CODE> to access <scopes>'. Or some similar thing.

tl;dr: The code not being included in the request by the vscode extension doesn't mitigate the security concerns at all; that needs to be done with changes to the portal and the extension UI.

Note that the aws sso login is also significantly vulnerable to this problem, though it already shows the code clearly, but the portal lets things down.

[JadenSimon]

Thanks for the request! I've notified relevant parties.

[justinmk3]

open https://.../?user_code=XXXX-YYYY , which automatically applies the code.

That behavior is now implemented in AWS Toolkit 1.90.

Thanks for your feedback on this!