Add token refresh support to SSOCredentialProvider

[isaiahvita]

This PR adds support for token refresh to the SSOCredentialProvider (by using the SSOTokenProvider) while maintaining support for legacy SSO configurations (i.e. SSO configurations that do not use an sso-session but specify sso fields directly in a profile section of a shared config file)

Testing procedure:
Followed testing instructions by SDKs feature owner @alextwoods which included:

• running the sso login flow with the AWS CLI
• using the access token, calling S3 List Buckets on the configured AWS account
• when the access token expires, re-calling S3 List buckets and see it succeed with an updated expiration in the SSO cache

Additonally:
Fixes #1845
Fixes #1846

[sbiscigl]

nit pick: move sdk import with other sdk imports

[jasdel]

goimports is a good tool to do this automatically for you. https://pkg.go.dev/golang.org/x/tools/cmd/goimports

[syall]

Minor notes about the PR, add:

• More context in the description
• How the changes was tested (commands, etc.)
• How changes will impact customers (only due to the possible break/fix)

Also, try to keep the same style of checking for the empty string throughout the PR.

[syall]

nit: remove newline

[syall]

nit: add back newline

[syall]

CreateTokenAPIClient needs documentation comment

[syall]

nit: put oidcClient := ssooidc.NewFromConfig(cfgCopy) at the top of this comment block to keep with other validation done for TokenClient

Suggested change

	cachedPath, err := ssocreds.StandardCachedTokenFilepath(sharedConfig.SSOSession.Name)
	if err != nil {
	return err
	}
	oidcClient := ssooidc.NewFromConfig(cfgCopy)
	oidcClient := ssooidc.NewFromConfig(cfgCopy)
	cachedPath, err := ssocreds.StandardCachedTokenFilepath(sharedConfig.SSOSession.Name)
	if err != nil {
	return err
	}

[isaiahvita]

hmm im a bit confused at this requested change.

this validation:

		cachedPath, err := ssocreds.StandardCachedTokenFilepath(sharedConfig.SSOSession.Name)
		if err != nil {
			return err
		}

isnt operating on any input related to oidcClient := ssooidc.NewFromConfig(cfgCopy)

additionally, the cached path conditional checks to see if the existing token is valid before creating an oidc client. if the existing token is not valid, then there is not reason to create an oidc client, so it should happen after

[syall]

optFns does not seem to be used anywhere in this function.

[jasdel]

looks like this should of bee used as input for ssoidc.NewFromConfig?

[skmcgrail]

I believe these are function options to be passed to the token provider constructor function actually.

[isaiahvita]

This is a good catch. Because optFns are *ssocreds.SSOTokenProviderOptions, it cannot be passed into the ssooidc constructor and must be passed into the token provider constructor. This means that instead of adding a new field to the sso Options and passing the ssoidc client as an option into the sso constructor:

		options = append(options, func(o *ssocreds.Options) {
			o.TokenClient = oidcClient
			o.CachedTokenFilepath = cachedPath
		})

I must make the added field a *SSOTokenProvider and pass that as an option into the sso constructor
Ill push a new commit to this PR with that change.

[syall]

nit: add a comment about the new TokenClient workflow.

[syall]

nit: add a comment about cachedTokenFilepath workflow.

[syall]

Make sure this function that was removed is not referenced anywhere else.

[skmcgrail]

Since this is package private there is no concern for this being removed. If something else requires it within the package, then it wouldn't compile or pass tests.

[syall]

note: validation in general has become stricter for both the legacy and current format.

[jasdel]

goimports is a good tool to do this automatically for you. https://pkg.go.dev/golang.org/x/tools/cmd/goimports

[jasdel]

looks like this should of bee used as input for ssoidc.NewFromConfig?

[jasdel]

are the fmt.Sprintf needed here?

[isaiahvita]

ah right, its not. will remove

[skmcgrail]

I believe these are function options to be passed to the token provider constructor function actually.

[skmcgrail]

Since this is package private there is no concern for this being removed. If something else requires it within the package, then it wouldn't compile or pass tests.

[skmcgrail]

Can both exist within the same profile, and if so is there precedence? As that would change how you would want this validation to work.

[alextwoods]

Yes - both could exist in one profile (its unlikely, but someone who is migrating from legacy to new could have such a setup). If so - the new format should be used, and the sso_start_url and sso_region MUST match (ie, if there is a mismatch between the profile's sso_region and the sso-session's, then we should raise an error).

[isaiahvita]

@skmcgrail yes both can exist in the same profile. i intentionally check to see if the new configuration is present and valid. if it is valid, then it should be used and if it is not valid, then it should error (even if the legacy configuration is present and valid). is there another scenario in mind you might be thinking about thats not covered here?

also, regarding @alextwoods comment about matching sso_start_url and sso_region, i do that additional check here https://github.com/aws/aws-sdk-go-v2/pull/1903/files#diff-ad732dd8295a0ce04a495056007062e13a140b7f97f173004d0d6523545805d2R1120

[jasdel]

Probably should prefix this member with SSO in case there are other kinds of TokenProvider in the future. CachedTokenFilepath probably should of been prefixed with SSO as well, but that ship has passed.

[isaiahvita]

yah i was debating with myself on this and then just defaulted to the existing style in that file. but i agree adding SSO makes sense and i just made the change with a new commit