Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Failed to Authenticate #5518

Open
envygeeks opened this issue Mar 28, 2025 · 0 comments
Open

Failed to Authenticate #5518

envygeeks opened this issue Mar 28, 2025 · 0 comments
Labels
bug We can reproduce the issue and confirmed it is a bug.

Comments

@envygeeks
Copy link

envygeeks commented Mar 28, 2025
edited
Loading

Describe the bug
Amazon Q Developer for Jetbrains fails to authenticate with IAM Identity Center, CloudTrail reports AuthorizationPendingException

To reproduce

  1. Have IAM Identity Center Setup
  2. Create an SSO Profile in your ~/.aws/config
[profile envygeeks]
sso-session = envygeeks
sso_account_id = [Redacted]
sso_start_url = https://[Redacted].awsapps.com/start
sso_role_name = [Redacted]
sso_region = us-east-1
region = us-east-1
output = json
  1. Attempt to authenticate in Amazon Q via SSO

Expected behavior
It to work

Screenshots

Image

Your Environment

  • OS: MacOS
  • JetBrains product: Webstorm
  • JetBrains product version: 2024.3.5
  • AWS Toolkit version: 3.61-243
  • SAM CLI version: aws-cli/2.24.20 Python/3.12.9 Darwin/24.3.0 source/arm64
  • JVM/Python version: Python 3.9.16

Additional context

{
    "eventVersion": "1.09",
    "userIdentity": {
        "type": "Unknown",
        "accountId": "[Redacted]",
        "principalId": "[Redacted]]",
        "userName": "[Redacted]",
        "onBehalfOf": {
            "userId": "[Redacted]",
            "identityStoreArn": "arn:aws:identitystore::[Redacted]:identitystore/[Redacted]"
        },
        "credentialId": "[Redacted]"
    },
    "eventTime": "2025-03-28T07:17:39Z",
    "eventSource": "sso.amazonaws.com",
    "eventName": "CreateToken",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "[Redacted]",
    "userAgent": "aws-cli/2.24.20 md/awscrt#0.23.8 ua/2.1 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#sso.login",
    "errorCode": "AuthorizationPendingException",
    "requestParameters": {
        "clientId": "[Redacted]",
        "clientSecret": "HIDDEN_DUE_TO_SECURITY_REASONS",
        "grantType": "urn:ietf:params:oauth:grant-type:device_code",
        "deviceCode": "X01IwslQ1m6eER63Ap2Nj0ZK0xgLNpBc2yxZpUgYxl-PrfAD6MvkTZQuOhsG7tiFoEPXW9pxC3OOqvyoaR7Z-Q",
        "platformSessionExpiryRequired": false
    },
    "responseElements": null,
    "requestID": "d7a2420a-59f8-4716-b7de-16f7eae22cda",
    "eventID": "[Redacted]",
    "readOnly": false,
    "resources": [
        {
            "accountId": "[Redacted]",
            "type": "IdentityStoreId",
            "ARN": "[Redacted]"
        }
    ],
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "[Redacted]",
    "eventCategory": "Management",
    "tlsDetails": {
        "tlsVersion": "TLSv1.3",
        "cipherSuite": "TLS_AES_128_GCM_SHA256",
        "clientProvidedHostHeader": "oidc.us-east-1.amazonaws.com"
    }
}
2025-03-28 02:32:53,622 [1936075] SEVERE - software.aws.toolkits.jetbrains.core.webview.LoginBrowser - Failed to authenticate: message: Ran into unknown error: java.util.concurrent.ExecutionException: software.amazon.awssdk.services.ssooidc.model.InvalidGrantException: invalid_grant: Invalid grant provided (Service: SsoOidc, Status Code: 400, Request ID: db7827e5-6559-4a6a-801a-4d09150d64c1); url: https://envygeeks.awsapps.com/start, region: AwsRegion(id=us-east-1, name=US East (N. Virginia), partitionId=aws), scopes: [codewhisperer:conversations, codewhisperer:transformations, codewhisperer:taskassist, codewhisperer:completions, codewhisperer:analysis]
java.util.concurrent.ExecutionException: software.amazon.awssdk.services.ssooidc.model.InvalidGrantException: invalid_grant: Invalid grant provided (Service: SsoOidc, Status Code: 400, Request ID: db7827e5-6559-4a6a-801a-4d09150d64c1)
	at java.base/java.util.concurrent.CompletableFuture.reportGet(CompletableFuture.java:396)
	at java.base/java.util.concurrent.CompletableFuture.get(CompletableFuture.java:2073)
	at software.aws.toolkits.jetbrains.core.credentials.sso.SsoAccessTokenProvider.pollForPkceToken(SsoAccessTokenProvider.kt:381)
	at software.aws.toolkits.jetbrains.core.credentials.sso.SsoAccessTokenProvider.accessToken(SsoAccessTokenProvider.kt:168)
	at software.aws.toolkits.jetbrains.core.credentials.sso.bearer.InteractiveBearerTokenProvider.reauthenticate(BearerTokenProvider.kt:188)
	at software.aws.toolkits.jetbrains.core.credentials.ToolkitAuthManagerKt.reauthConnectionIfNeeded$lambda$12$lambda$11(ToolkitAuthManager.kt:260)
	at software.aws.toolkits.jetbrains.utils.ThreadingUtilsKt.runUnderProgressIfNeeded(ThreadingUtils.kt:33)
	at software.aws.toolkits.jetbrains.core.credentials.ToolkitAuthManagerKt.reauthConnectionIfNeeded$lambda$12(ToolkitAuthManager.kt:258)
	at software.aws.toolkits.jetbrains.core.credentials.ToolkitAuthManagerKt.maybeReauthProviderIfNeeded(ToolkitAuthManager.kt:317)
	at software.aws.toolkits.jetbrains.core.credentials.ToolkitAuthManagerKt.reauthConnectionIfNeeded(ToolkitAuthManager.kt:256)
	at software.aws.toolkits.jetbrains.core.credentials.ToolkitAuthManagerKt.reauthConnectionIfNeeded$default(ToolkitAuthManager.kt:241)
	at software.aws.toolkits.jetbrains.core.credentials.LoginUtilsKt.authAndUpdateConfig$lambda$2(LoginUtils.kt:201)
	at software.aws.toolkits.jetbrains.core.credentials.DefaultToolkitAuthManager.tryCreateTransientSsoConnection(DefaultToolkitAuthManager.kt:90)
	at software.aws.toolkits.jetbrains.core.credentials.LoginUtilsKt.authAndUpdateConfig(LoginUtils.kt:200)
	at software.aws.toolkits.jetbrains.core.credentials.Login$IdC.doLogin(LoginUtils.kt:98)
	at software.aws.toolkits.jetbrains.core.credentials.Login$IdC.doLogin(LoginUtils.kt:70)
	at software.aws.toolkits.jetbrains.core.credentials.Login.login(LoginUtils.kt:50)
	at software.aws.toolkits.jetbrains.core.webview.LoginBrowser.loginIdC$lambda$10(LoginBrowser.kt:251)
	at software.aws.toolkits.jetbrains.core.webview.LoginBrowser$loginWithBackgroundContext$1$1$1.invokeSuspend$lambda$0(LoginBrowser.kt:380)
	at com.intellij.openapi.progress.CoroutinesKt.blockingContextInner(coroutines.kt:341)
	at com.intellij.openapi.progress.CoroutinesKt$blockingContext$2.invokeSuspend(coroutines.kt:233)
	at com.intellij.openapi.progress.CoroutinesKt$blockingContext$2.invoke(coroutines.kt)
	at com.intellij.openapi.progress.CoroutinesKt$blockingContext$2.invoke(coroutines.kt)
	at kotlinx.coroutines.intrinsics.UndispatchedKt.startUndispatchedOrReturn(Undispatched.kt:62)
	at kotlinx.coroutines.CoroutineScopeKt.coroutineScope(CoroutineScope.kt:261)
	at com.intellij.openapi.progress.CoroutinesKt.blockingContext(coroutines.kt:232)
	at software.aws.toolkits.jetbrains.core.webview.LoginBrowser$loginWithBackgroundContext$1$1$1.invokeSuspend(LoginBrowser.kt:379)
	at software.aws.toolkits.jetbrains.core.webview.LoginBrowser$loginWithBackgroundContext$1$1$1.invoke(LoginBrowser.kt)
	at software.aws.toolkits.jetbrains.core.webview.LoginBrowser$loginWithBackgroundContext$1$1$1.invoke(LoginBrowser.kt)
	at kotlinx.coroutines.intrinsics.UndispatchedKt.startUndispatchedOrReturn(Undispatched.kt:62)
	at kotlinx.coroutines.BuildersKt__Builders_commonKt.withContext(Builders.common.kt:163)
	at kotlinx.coroutines.BuildersKt.withContext(Unknown Source)
	at com.intellij.platform.util.progress.ProgressPipeImpl.collectProgressUpdates(ProgressPipe.kt:43)
	at com.intellij.openapi.progress.impl.PlatformTaskSupport$withBackgroundProgressInternalOld$2.invokeSuspend(PlatformTaskSupport.kt:157)
	at com.intellij.openapi.progress.impl.PlatformTaskSupport$withBackgroundProgressInternalOld$2.invoke(PlatformTaskSupport.kt)
	at com.intellij.openapi.progress.impl.PlatformTaskSupport$withBackgroundProgressInternalOld$2.invoke(PlatformTaskSupport.kt)
	at kotlinx.coroutines.intrinsics.UndispatchedKt.startUndispatchedOrReturn(Undispatched.kt:62)
	at kotlinx.coroutines.CoroutineScopeKt.coroutineScope(CoroutineScope.kt:261)
	at com.intellij.openapi.progress.impl.PlatformTaskSupport.withBackgroundProgressInternalOld(PlatformTaskSupport.kt:150)
	at com.intellij.openapi.progress.impl.PlatformTaskSupport.access$withBackgroundProgressInternalOld(PlatformTaskSupport.kt:57)
	at com.intellij.openapi.progress.impl.PlatformTaskSupport$withBackgroundProgressInternal$2.invokeSuspend(PlatformTaskSupport.kt:91)
	at com.intellij.openapi.progress.impl.PlatformTaskSupport$withBackgroundProgressInternal$2.invoke(PlatformTaskSupport.kt)
	at com.intellij.openapi.progress.impl.PlatformTaskSupport$withBackgroundProgressInternal$2.invoke(PlatformTaskSupport.kt)
	at kotlinx.coroutines.intrinsics.UndispatchedKt.startUndispatchedOrReturn(Undispatched.kt:62)
	at kotlinx.coroutines.CoroutineScopeKt.coroutineScope(CoroutineScope.kt:261)
	at com.intellij.openapi.progress.impl.PlatformTaskSupport.withBackgroundProgressInternal(PlatformTaskSupport.kt:89)
	at com.intellij.platform.ide.progress.TasksKt.withBackgroundProgress(tasks.kt:56)
	at com.intellij.platform.ide.progress.TasksKt.withBackgroundProgress(tasks.kt:21)
	at software.aws.toolkits.jetbrains.core.webview.LoginBrowser$loginWithBackgroundContext$1$1.invokeSuspend(LoginBrowser.kt:378)
	at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33)
	at kotlinx.coroutines.DispatchedTask.run(DispatchedTask.kt:104)
	at kotlinx.coroutines.EventLoopImplBase.processNextEvent(EventLoop.common.kt:277)
	at kotlinx.coroutines.BlockingCoroutine.joinBlocking(Builders.kt:111)
	at kotlinx.coroutines.BuildersKt__BuildersKt.runBlocking$BuildersKt__BuildersKt(Builders.kt:84)
	at kotlinx.coroutines.BuildersKt__BuildersKt.runBlocking(Builders.kt:52)
	at kotlinx.coroutines.BuildersKt.runBlocking(Unknown Source)
	at kotlinx.coroutines.BuildersKt__BuildersKt.runBlocking$default(Builders.kt:48)
	at kotlinx.coroutines.BuildersKt.runBlocking$default(Unknown Source)
	at software.aws.toolkits.jetbrains.core.webview.LoginBrowser.loginWithBackgroundContext$lambda$23(LoginBrowser.kt:377)
	at software.aws.toolkits.jetbrains.utils.ThreadingUtilsKt.pluginAwareExecuteOnPooledThread$lambda$4$lambda$3(ThreadingUtils.kt:88)
	at io.opentelemetry.context.Context.lambda$wrap$2(Context.java:224)
	at software.aws.toolkits.jetbrains.utils.ThreadingUtilsKt.pluginAwareExecuteOnPooledThread$lambda$4(ThreadingUtils.kt:88)
	at com.intellij.openapi.application.impl.AnyThreadWriteThreadingSupport$executeOnPooledThread$2.call(AnyThreadWriteThreadingSupport.kt:195)
	at com.intellij.util.concurrency.ContextCallable.lambda$call$1(ContextCallable.java:85)
	at com.intellij.util.concurrency.ContextCallable.call(ContextCallable.java:94)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317)
	at com.intellij.util.concurrency.ChildContext$runInChildContext$1.invoke(propagation.kt:103)
	at com.intellij.util.concurrency.ChildContext$runInChildContext$1.invoke(propagation.kt:103)
	at com.intellij.util.concurrency.ChildContext.runInChildContext(propagation.kt:109)
	at com.intellij.util.concurrency.ChildContext.runInChildContext(propagation.kt:103)
	at com.intellij.util.concurrency.ContextRunnable.run(ContextRunnable.java:27)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
	at java.base/java.util.concurrent.Executors$PrivilegedThreadFactory$1$1.run(Executors.java:735)
	at java.base/java.util.concurrent.Executors$PrivilegedThreadFactory$1$1.run(Executors.java:732)
	at java.base/java.security.AccessController.doPrivileged(AccessController.java:400)
	at java.base/java.util.concurrent.Executors$PrivilegedThreadFactory$1.run(Executors.java:732)
	at java.base/java.lang.Thread.run(Thread.java:1583)
Caused by: software.amazon.awssdk.services.ssooidc.model.InvalidGrantException: invalid_grant: Invalid grant provided (Service: SsoOidc, Status Code: 400, Request ID: db7827e5-6559-4a6a-801a-4d09150d64c1)
	at software.amazon.awssdk.services.ssooidc.model.InvalidGrantException$BuilderImpl.build(InvalidGrantException.java:282)
	at software.amazon.awssdk.services.ssooidc.model.InvalidGrantException$BuilderImpl.build(InvalidGrantException.java:188)
	at software.aws.toolkits.jetbrains.core.credentials.sso.bearer.BearerTokenProviderKt$ssoOidcClientConfigurationBuilder$1$2.modifyException(BearerTokenProvider.kt:280)
	at software.amazon.awssdk.core.interceptor.ExecutionInterceptorChain.modifyException(ExecutionInterceptorChain.java:181)
	at software.amazon.awssdk.core.internal.http.pipeline.stages.utils.ExceptionReportingUtils.runModifyException(ExceptionReportingUtils.java:54)
	at software.amazon.awssdk.core.internal.http.pipeline.stages.utils.ExceptionReportingUtils.reportFailureToInterceptors(ExceptionReportingUtils.java:38)
	at software.amazon.awssdk.core.internal.http.pipeline.stages.ExecutionFailureExceptionReportingStage.execute(ExecutionFailureExceptionReportingStage.java:39)
	at software.amazon.awssdk.core.internal.http.pipeline.stages.ExecutionFailureExceptionReportingStage.execute(ExecutionFailureExceptionReportingStage.java:26)
	at software.amazon.awssdk.core.internal.http.AmazonSyncHttpClient$RequestExecutionBuilderImpl.execute(AmazonSyncHttpClient.java:210)
	at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.invoke(BaseSyncClientHandler.java:103)
	at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.doExecute(BaseSyncClientHandler.java:173)
	at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.lambda$execute$1(BaseSyncClientHandler.java:80)
	at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.measureApiCallSuccess(BaseSyncClientHandler.java:182)
	at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.execute(BaseSyncClientHandler.java:74)
	at software.amazon.awssdk.core.client.handler.SdkSyncClientHandler.execute(SdkSyncClientHandler.java:45)
	at software.amazon.awssdk.awscore.client.handler.AwsSyncClientHandler.execute(AwsSyncClientHandler.java:53)
	at software.amazon.awssdk.services.ssooidc.DefaultSsoOidcClient.createToken(DefaultSsoOidcClient.java:171)
	at software.amazon.awssdk.services.ssooidc.SsoOidcClient.createToken(SsoOidcClient.java:232)
	at software.aws.toolkits.jetbrains.core.credentials.sso.pkce.ToolkitOauthCredentialsAcquirer.acquireCredentials(ToolkitOAuthService.kt:153)
	at com.intellij.collaboration.auth.services.OAuthServiceBase.processCode(OAuthServiceBase.kt:81)
	at com.intellij.collaboration.auth.services.OAuthServiceBase.handleServerCallback(OAuthServiceBase.kt:47)
	at com.intellij.collaboration.auth.services.OAuthServiceBase.handleOAuthServerCallback(OAuthServiceBase.kt:54)
	at software.aws.toolkits.jetbrains.core.credentials.sso.pkce.ToolkitOAuthService.handleOAuthServerCallback(ToolkitOAuthService.kt:87)
	at com.intellij.collaboration.auth.services.OAuthCallbackHandler.execute$handle$lambda$1(OAuthCallbackHandler.kt:41)
	at com.intellij.openapi.progress.ProgressManager.lambda$runProcess$0(ProgressManager.java:98)
	at com.intellij.openapi.progress.impl.CoreProgressManager.lambda$runProcess$1(CoreProgressManager.java:223)
	at com.intellij.platform.diagnostic.telemetry.helpers.TraceKt.use(trace.kt:45)
	at com.intellij.openapi.progress.impl.CoreProgressManager.lambda$runProcess$2(CoreProgressManager.java:222)
	at com.intellij.openapi.progress.impl.CoreProgressManager.lambda$executeProcessUnderProgress$14(CoreProgressManager.java:674)
	at com.intellij.openapi.progress.impl.CoreProgressManager.registerIndicatorAndRun(CoreProgressManager.java:749)
	at com.intellij.openapi.progress.impl.CoreProgressManager.computeUnderProgress(CoreProgressManager.java:705)
	at com.intellij.openapi.progress.impl.CoreProgressManager.executeProcessUnderProgress(CoreProgressManager.java:673)
	at com.intellij.openapi.progress.impl.ProgressManagerImpl.executeProcessUnderProgress(ProgressManagerImpl.java:79)
	at com.intellij.openapi.progress.impl.CoreProgressManager.runProcess(CoreProgressManager.java:203)
	at com.intellij.openapi.progress.ProgressManager.runProcess(ProgressManager.java:98)
	at com.intellij.collaboration.auth.services.OAuthCallbackHandler.execute$handle(OAuthCallbackHandler.kt:40)
	at com.intellij.collaboration.auth.services.OAuthCallbackHandler.execute$lambda$2(OAuthCallbackHandler.kt:46)
	at java.base/java.util.concurrent.CompletableFuture$AsyncSupply.run(CompletableFuture.java:1768)
	... 12 more
@envygeeks envygeeks added the bug We can reproduce the issue and confirmed it is a bug. label Mar 28, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug We can reproduce the issue and confirmed it is a bug.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@envygeeks