Merge pull request #375 from synfinatic/two-login

Support multiple SSO Instance sessions for the same instance

CHANGELOG.md

@@ -19,6 +19,8 @@
  * Added `Profile` to the list of default fields for the `list` command
  * `list` command can now generate a CSV
  * Renamed the `config` command to `config-profiles` to be less confusing
+ * You can now specify the same StartURL in multiple SSOConfig blocks so you
+    can authenticate as different users at the same time.
 
 ## [v1.8.1] - 2022-05-02
 

docs/config.md

@@ -83,23 +83,30 @@ EnvVarTags:
 
 ## SSOConfig
 
-This is the top level block for your AWS SSO instances.  Typically an organization
-will have a single AWS SSO instance for all of their accounts under a single AWS master
-payer account.  If you have more than one AWS SSO instance, then `Default` will be
-the default unless overridden with `DefaultSSO`.
+This is the top level block for your AWS SSO instances.  Typically an
+organization will have a single AWS SSO instance for all of their accounts
+under a single AWS master payer account.  If you have more than one AWS SSO
+instance, then `Default` will be the default unless overridden with
+`DefaultSSO`.
 
 The `SSOConfig` config block is required.
 
 ### StartUrl
 
-Each AWS SSO instance has a unique start URL hosted by AWS for interacting with your
-SSO provider (Okta/OneLogin/etc).  Should be in the format of `https://xxxxxxx.awsapps.com/start`.
+Each AWS SSO instance start URL hosted by AWS for interacting with your
+SSO provider (Okta/OneLogin/etc).  Should be in the format of
+`https://xxxxxxx.awsapps.com/start`.
+
+**Note:** If you need to authenticate as different users to the same
+AWS SSO Instance, you can specify multiple [SSOConfig](#ssoconfig) blocks
+with the same `StartUrl`.
 
 The `StartUrl` is required.
 
 ### SSORegion
 
-Each AWS SSO instance is configured in a specific AWS region which needs to be set here.
+Each AWS SSO instance is configured in a specific AWS region which needs to be
+set here.
 
 The `SSORegion` is required.
 

sso/awssso.go

@@ -51,6 +51,7 @@ type SsoAPI interface {
 }
 
 type AWSSSO struct {
+	key            string // key in the settings file that names us
 	sso            SsoAPI
 	ssooidc        SsoOidcAPI
 	store          storage.SecureStorage
@@ -79,6 +80,7 @@ func NewAWSSSO(s *SSOConfig, store *storage.SecureStorage) *AWSSSO {
 	})
 
 	as := AWSSSO{
+		key:            s.key,
 		sso:            ssoSession,
 		ssooidc:        oidcSession,
 		store:          *store,

sso/awssso_auth.go

@@ -67,7 +67,7 @@ func (as *AWSSSO) Authenticate(urlAction, browser string) error {
 
 // StoreKey returns the key in the cache for this AWSSSO instance
 func (as *AWSSSO) StoreKey() string {
-	return fmt.Sprintf("%s|%s", as.SsoRegion, as.StartUrl)
+	return as.key
 }
 
 // reauthenticate talks to AWS SSO to generate a new AWS SSO AccessToken

sso/awssso_auth_test.go

@@ -92,11 +92,12 @@ func (m *mockSsoOidcAPI) CreateToken(ctx context.Context, params *ssooidc.Create
 
 func TestStoreKey(t *testing.T) {
 	as := &AWSSSO{
+		key:       "atest",
 		SsoRegion: "us-west-1",
 		StartUrl:  "https://testing.awsapps.com/start",
 	}
 
-	assert.Equal(t, "us-west-1|https://testing.awsapps.com/start", as.StoreKey())
+	assert.Equal(t, "atest", as.StoreKey())
 }
 
 func TestAuthenticateSteps(t *testing.T) {

sso/settings.go

@@ -74,6 +74,7 @@ type Settings struct {
 
 type SSOConfig struct {
 	settings      *Settings              // pointer back up
+	key           string                 // our key in Settings.SSO[]
 	SSORegion     string                 `koanf:"SSORegion" yaml:"SSORegion"`
 	StartUrl      string                 `koanf:"StartUrl" yaml:"StartUrl"`
 	Accounts      map[string]*SSOAccount `koanf:"Accounts" yaml:"Accounts,omitempty"` // key must be a string to avoid parse errors!
@@ -181,6 +182,11 @@ func LoadSettings(configFile, cacheFile string, defaults map[string]interface{},
 
 	s.setOverrides(override)
 
+	// set our SSO names
+	for k, v := range s.SSO {
+		v.key = k
+	}
+
 	if _, ok := s.SSO[s.DefaultSSO]; !ok {
 		// Select our SSO Provider
 		if len(s.SSO) == 0 {