Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multiple SSO instances + browser sessions issue #524

Closed
synfinatic opened this issue Aug 11, 2023 · 8 comments · Fixed by #545
Closed

Multiple SSO instances + browser sessions issue #524

synfinatic opened this issue Aug 11, 2023 · 8 comments · Fixed by #545
Labels
bug Something isn't working
Milestone
v1.13.0

Comments

@synfinatic
Copy link
Owner

If you have multiple SSO instances ($AWS_SSO) things aren't awesome because your web browser has a cookie which is tied to your SSO provider. So if you are using the same SSO provider for multiple SSO instances you can't actually switch between, because when you go through SSO and get your auth token, it is for the previous SSO provider instance- even if you do a aws-sso flush -t sso

So we either need to revert #491 (to keep the cookies in their own browser session) or do something else? Seems like we need each SSO instance to specify it's own container (or keep the default container).
@synfinatic synfinatic added the bug Something isn't working label Aug 11, 2023
@synfinatic synfinatic added this to the v1.13.0 milestone Aug 14, 2023
@synfinatic
Copy link
Owner Author

Just noticed that the AWS SSO auth workflow is going through the default browser??? Does not honor the open-url-in-container or UrlExecCommand => Firefox and is using the default browser, Safari.

synfinatic added a commit that referenced this issue Aug 20, 2023
@synfinatic
Add AuthUrlAction to override UrlAction for SSO auth
dd87fce 
This basically reverts #491 and goes back to unique Firefox
containers for each SSO provider/AWS SSO instance.  The
AuthUrlAction does allow you to pick a single SSO instance
to use your default browser via `open` to re-use the existing
session cookies you might already have.

Fixes: #524
@synfinatic synfinatic mentioned this issue Aug 20, 2023
Merged
synfinatic added a commit that referenced this issue Aug 20, 2023
@synfinatic
Add AuthUrlAction to override UrlAction for SSO auth
2804752 
This basically reverts #491 and goes back to unique Firefox
containers for each SSO provider/AWS SSO instance.  The
AuthUrlAction does allow you to pick a single SSO instance
to use your default browser via `open` to re-use the existing
session cookies you might already have.

Fixes: #524
synfinatic added a commit that referenced this issue Aug 20, 2023
@synfinatic
Add AuthUrlAction to override UrlAction for SSO auth
5c4e0ca 
This basically reverts #491 and goes back to unique Firefox
containers for each SSO provider/AWS SSO instance.  The
AuthUrlAction does allow you to pick a single SSO instance
to use your default browser via `open` to re-use the existing
session cookies you might already have.

Fixes: #524
@amphied
Copy link

amphied commented Aug 20, 2023

Hi @synfinatic this might be a niche use case, but I'd like to specify a different browser for auth. Is that something you could add here as well?

Example:

  • open auth in Chrome
  • open console sessions in Firefox with containers
  • (neither Chrome nor Firefox being the default browser)

@synfinatic
Copy link
Owner Author

@amphied Can you explain why you want to use a 3rd browser for SSO auth? I get wanting to use the default browser for SSO auth (allows re-using an existing SSO session), but not a 3rd one.

synfinatic added a commit that referenced this issue Aug 20, 2023
@synfinatic
Add AuthUrlAction to override UrlAction for SSO auth
c4309d9 
This basically reverts #491 and goes back to unique Firefox
containers for each SSO provider/AWS SSO instance.  The
AuthUrlAction does allow you to pick a single SSO instance
to use your default browser via `open` to re-use the existing
session cookies you might already have.

Fixes: #524
@amphied
Copy link

amphied commented Aug 21, 2023

@synfinatic I'd like to send the auth url to a script that relays it to a separate machine where my password safe and yubikey are located. Niche use case, I know :)

@synfinatic
Copy link
Owner Author

So you have like two laptops? Or is one of them an EC2 or bastion host or something?

@amphied
Copy link

amphied commented Aug 21, 2023

Thank you for taking the time and answering!

Two local machines.

I think adding an authUrlExecCommand similar to the authUrlAction would do the trick, but I'd completely understand if you consider this out of scope.

Without that I see two workarounds:

  1. setting UrlExecCommand to a script that determines how to proceed based on the url
  2. setting the new config option authUrlAction to open and packaging my script into an .app so that it can be called with open -a foo.app (see open-golang) via the Browser config

@synfinatic
Copy link
Owner Author

Thanks for explaining... I'm trying to think about the security ramifications of this. Do you mind opening a new ticket for the ask?

@amphied amphied mentioned this issue Aug 21, 2023
Open
@amphied
Copy link

amphied commented Aug 21, 2023

Thank you! Done: #550

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
v1.13.0
Development

Successfully merging a pull request may close this issue.

Add AuthUrlAction to override UrlAction for SSO auth synfinatic/aws-sso-cli
2 participants
@amphied @synfinatic