Skip to content

aws login: stale browser cookies cause 400 Bad Request — CLI hangs until timeout with no feedback #10186

Open
Open
aws login: stale browser cookies cause 400 Bad Request — CLI hangs until timeout with no feedback#10186
Assignees
adev-code
Labels
bugThis issue is a bug.investigatingThis issue is being investigated and/or work is in progress to resolve the issue.p2This is a standard priority issue
@AlRos14

Description

@AlRos14
AlRos14
opened on Apr 3, 2026

Describe the bug

When aws login opens the browser and stale AWS session cookies are present, the signin
portal returns 400 Bad Request directly to the browser. The CLI's local callback server
(127.0.0.1:PORT) never receives a redirect, so the process hangs silently for up to
10 minutes with no feedback before failing.

Expected Behavior

When a browser session cookie is detected but the underlying session has expired, the
server should redirect the browser to the login page so the user can re-authenticate and
complete the OAuth flow naturally — rather than returning 400.

If redirecting to the login page is not possible, the server should communicate the failure
back through the redirect_uri with an error parameter as required by
RFC 6749 §4.1.2.1,
allowing the CLI to surface a meaningful error immediately.

Current Behavior

  1. CLI starts a local callback server at http://127.0.0.1:PORT/oauth/callback
  2. CLI opens /v1/authorize?...&redirect_uri=http://127.0.0.1:PORT/oauth/callback in the browser
  3. The server detects existing browser session cookies and attempts to reuse the session
  4. Browser is redirected to /v1/sessions?...
  5. Browser is redirected to /oauth?iam_user=true&backwards_compatible=true&...
  6. Server returns 400 Bad Request — browser shows an error page and stops
  7. The redirect_uri is never called; the CLI hangs for up to 10 minutes then raises
    PendingAuthorizationExpiredError with no useful message

Reproduction Steps

  1. Sign into the AWS Management Console in your browser (sets session cookies)
  2. Wait for the server-side session to expire (the browser cookies remain)
  3. Run aws login
  4. The browser opens and immediately shows a 400 error page
  5. The CLI prints nothing — it hangs until the 10-minute _OVERALL_TIMEOUT in
    AuthCodeFetcher.get_auth_code_and_state(), then raises PendingAuthorizationExpiredError

Possible Solution

Replace the current error-based stale cookie handling with a proper authentication redirect flow. Instead of surfacing a 400 error to the user when a stale cookie is detected, the server should transparently redirect the user through the login page so the CLI can obtain a fresh token without requiring manual intervention.
Current flow (broken):
stale cookie detected → try session reuse → error 400
Proposed flow:
stale cookie detected → redirect to login page → user authenticates → redirect_uri called with auth code → CLI exchanges code for token

CLI version used

aws-cli/2.34.23

Environment details (OS name and version, etc.)

Python/3.14.3 Linux/6.8.0-106-generic exe/x86_64.ubuntu.24 OS: Ubuntu 24.04 Browser: Brave (Chromium-based) Region: eu-south-2

Metadata

Metadata

Assignees

Labels

bugThis issue is a bug.investigatingThis issue is being investigated and/or work is in progress to resolve the issue.p2This is a standard priority issue

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions