How to skip "Allow ClientName to access your data?" screen in SSO with PKCE, or remove the timestamp in the ClientName?

[ltrzesniewski]

Newer AWS CLI versions use the PKCE flow to authenticate through SSO. This simplifies the login process by skipping the device code check and the "Allow ClientName to access your data?" screen.

If you run aws sso logout, then aws sso login, you end up on the "Request approved" page directly, without any intermediary questions:

I'd like to have the same behavior for my app, so I implemented the PKCE flow with the AWS SDK. The problem is that I always get the following screen in the process, even if the client was already approved in the past:

The rest of the process works fine, but I couldn't find a way to bypass this screen and get the more straightforward behavior like the one of the CLI. The files in .aws\sso\cache look very similar to each other.

I suppose this may be related to the timestamp the SDK adds to the ClientName. When I set SSOAWSCredentialsOptions.ClientName to MyAppClientName, the SDK changed it to MyAppClientName-1744722911 in this example. As far as I can tell, there is currently no option to remove this timestamp in the SDK.

Is there something I'm missing or doing wrong, or do you think removing the timestamp from the ClientName would let an already-approved client access to persist?

In any case, I'd like to be able to remove this timestamp, as it looks weird to the end users.

[dscpinheiro]

When the internal spec for this component was written, the section on client name said This MAY also include a timestamp to indicate when the client was registered so we added the suffix while the CLI didn't.

We may not be able to just remove it as other consumers of the SDK (specifically the AWS Tools for PowerShell and AWS Toolkit for Visual Studio - which are also implementing the login process) could be depending on it indirectly (e.g. by caching via client name) - this would need to be opt-in.

You could convert this to a feature request (and even contribute an implementation if this is a blocker for your use case), this is the place: https://github.com/aws/aws-sdk-net/blob/development/sdk/src/Core/Amazon.Runtime/Credentials/Internal/_bcl%2Bnetstandard/SSOTokenManager.cs#L724 (I do need to emphasize this class is in the Internal namespace and it was written primarily for the consumers I mentioned above - we MUST not break them in any way).

[ltrzesniewski]

I suppose an option for this could be added, but my main concern was how I could remove the "allow access" screen.

Since I posted this topic I've checked that removing the timestamp does not solve the problem: the "allow access" screen is still displayed even when there's no timestamp in the client name.