MissingAuthenticationToken is thrown by StsClient::getCallerIdentity()

[shadowhand]

Describe the bug

The method StsClient::getCallerIdentity() MAY throw MissingAuthenticationToken.

This can happen when the current configuration is targeting SSO without any active session. The only place the MissingAuthenticationToken is documented is in ComputeOptimizer, which seems incorrect given that tokens are related to authentication.

Regression Issue

• Select this option if this issue appears to be a regression.

Expected Behavior

StsClient::getCallerIdentity() documents that MissingAuthenticationToken MAY be thrown.

Current Behavior

StsClient::getCallerIdentity() has no documentation of possible errors.

Reproduction Steps

Configure a profile with SSO authentication.
Ensure no active credentials with aws sso logout.
Execute a request to STS::getCallerIdentity().

Possible Solution

Add errors to the GetCallerIdentity API manifest.

Additional Information/Context

It appears that GetCallerIdentity is missing possible errors. The API documentation also does not list this error, but links to Common Errors, which also does not list this error, so this may be an upstream issue.

SDK version used

latest

Environment details (Version of PHP (php -v)? OS name and version, etc.)

not relevant

[shadowhand]

Another error that may occur with expired SSO credentials is InvalidGrantException, but this appears to be correctly documented in SSOIDC.

[yenfryherrerafeliz]

Hi @shadowhand, thanks for opening this issue. I tried to reproduce the issue by following the steps you have provided but I did not even hit the service and here is why, when you do aws sso logout the session file is deleted and when we don't see a session file and you try to use SSO credentials we fail. See below:

<?php

use Aws\Credentials\CredentialProvider;

require '../vendor/autoload.php';

$client = new Aws\Sts\StsClient([
    'region' => 'us-east-2',
    'credentials' => CredentialProvider::sso('testing')
]);
$result = $client->getCallerIdentity();

print_r($result);

Output after doing aws sso logout:

opt/homebrew/opt/php@8.4/bin/php $PROJECT_DIR/test-code.php
PHP Fatal error:  Uncaught Aws\Exception\TokenException: Unable to read token file at $USER_HOME/.aws/sso/cache/da391f5d3d312c944ed9fdf11d74e5e09e7888.json in $PROJECT_DIR/aws-sdk-php/src/Token/SsoTokenProvider.php:233
Stack trace:

Is there anything I may be missing from my repro steps?

I look forward to your response.

Thank you!

[shadowhand]

@yenfryherrerafeliz hm, perhaps the token has to be expired, as opposed to missing?

[yenfryherrerafeliz]

@shadowhand lets do this, would you please enable debug logs and provide it so we can check where exactly this happens for you. Just make sure you redact any sensitive information.
Here is an example:

<?php

use Aws\Credentials\CredentialProvider;

require '../vendor/autoload.php';

$client = new Aws\Sts\StsClient([
    'region' => 'us-east-2',
    'credentials' => CredentialProvider::sso('testing'),
    'debug' => true // HERE IS HOW WE ENABLE DEBUG LOGS
]);
$result = $client->getCallerIdentity();

print_r($result);

Thank you!

[shadowhand]

-> Entering step init, name 'idempotency_auto_fill'
---------------------------------------------------

  command was set to array(3) {
    ["instance"]=>
    string(32) "00000000000000110000000000000000"
    ["name"]=>
    string(17) "GetCallerIdentity"
    ["params"]=>
    array(2) {
      ["@http"]=>
      array(1) {
        ["debug"]=>
        resource(263) of type (stream)
      }
      ["@context"]=>
      array(0) {
      }
    }
  }

  request was set to array(0) {
  }



-> Entering step validate, name 'validation'
--------------------------------------------

  no changes


Fatal error: Uncaught exception 'Aws\SSOOIDC\Exception\SSOOIDCException' with message 'Error executing "CreateToken" on "https://oidc.us-west-2.amazonaws.com/token"; AWS HTTP error: Client error: `POST https://oidc.us-west-2.amazonaws.com/token` resulted in a `400 Bad Request` response:
{"error":"invalid_grant","error_description":"Invalid refresh token provided"}
 InvalidGrantException (client):  - {"error":"invalid_grant","error_description":"Invalid refresh token provided"}'

GuzzleHttp\Exception\ClientException: Client error: `POST https://oidc.us-west-2.amazonaws.com/token` resulted in a `400 Bad Request` response:
{"error":"invalid_grant","error_description":"Invalid refresh token provided"}
 in vendor/guzzlehttp/guzzle/src/Exception/RequestException.php:111
Stack trace:
#0 vendor/guzzlehttp/guzzle/src/Middleware.php(72): GuzzleHttp\Exception\RequestException::create(Object(GuzzleHttp\Psr7\Request), Object(GuzzleHttp\Psr7\Response), NULL, Array, NULL)
#1 vendor/guzzlehttp/promises/src/Promise.php(209): GuzzleHttp\Middleware::{closure:{closure:{closure:GuzzleHttp\Middleware::httpErrors():60}:61}:67}(Object(GuzzleHttp\Psr7\Response))
#2 vendor/guzzlehttp/promises/src/Promise.php(158): GuzzleHttp\Promise\Promise::callHandler(1, Object(GuzzleHttp\Psr7\Response), NULL)
#3 vendor/guzzlehttp/promises/src/TaskQueue.php(52): GuzzleHttp\Promise\Promise::{closure:GuzzleHttp\Promise\Promise::settle():156}()
#4 vendor/guzzlehttp/guzzle/src/Handler/CurlMultiHandler.php(167): GuzzleHttp\Promise\TaskQueue->run()
#5 vendor/guzzlehttp/guzzle/src/Handler/CurlMultiHandler.php(206): GuzzleHttp\Handler\CurlMultiHandler->tick()
#6 vendor/guzzlehttp/promises/src/Promise.php(251): GuzzleHttp\Handler\CurlMultiHandler->execute(true)
#7 vendor/guzzlehttp/promises/src/Promise.php(227): GuzzleHttp\Promise\Promise->invokeWaitFn()
#8 vendor/guzzlehttp/promises/src/Promise.php(272): GuzzleHttp\Promise\Promise->waitIfPending()
#9 vendor/guzzlehttp/promises/src/Promise.php(229): GuzzleHttp\Promise\Promise->invokeWaitList()
#10 vendor/guzzlehttp/promises/src/Promise.php(272): GuzzleHttp\Promise\Promise->waitIfPending()
#11 vendor/guzzlehttp/promises/src/Promise.php(229): GuzzleHttp\Promise\Promise->invokeWaitList()
#12 vendor/guzzlehttp/promises/src/Promise.php(69): GuzzleHttp\Promise\Promise->waitIfPending()
#13 vendor/aws/aws-sdk-php/src/AwsClientTrait.php(58): GuzzleHttp\Promise\Promise->wait()
#14 vendor/aws/aws-sdk-php/src/AwsClientTrait.php(86): Aws\AwsClient->execute(Object(Aws\Command))
#15 vendor/aws/aws-sdk-php/src/Token/SsoTokenProvider.php(169): Aws\AwsClient->__call('createToken', Array)
#16 vendor/aws/aws-sdk-php/src/Token/SsoTokenProvider.php(126): Aws\Token\SsoTokenProvider->refresh()
#17 [internal function]: Aws\Token\SsoTokenProvider->{closure:Aws\Token\SsoTokenProvider::__invoke():91}()
#18 vendor/guzzlehttp/promises/src/Coroutine.php(72): Generator->current()
#19 vendor/guzzlehttp/promises/src/Coroutine.php(83): GuzzleHttp\Promise\Coroutine->__construct(Object(Closure))
#20 vendor/aws/aws-sdk-php/src/Token/SsoTokenProvider.php(91): GuzzleHttp\Promise\Coroutine::of(Object(Closure))
#21 vendor/aws/aws-sdk-php/src/Credentials/CredentialProvider.php(971): Aws\Token\SsoTokenProvider->__invoke()
#22 vendor/aws/aws-sdk-php/src/Credentials/CredentialProvider.php(367): Aws\Credentials\CredentialProvider::getSsoCredentials(Array, 'profile xxx', '...', Array)
#23 vendor/aws/aws-sdk-php/src/Auth/AuthSchemeResolver.php(144): Aws\Credentials\CredentialProvider::{closure:Aws\Credentials\CredentialProvider::sso():351}()
#24 vendor/aws/aws-sdk-php/src/Auth/AuthSchemeResolver.php(104): Aws\Auth\AuthSchemeResolver->hasAwsCredentialIdentity()
#25 vendor/aws/aws-sdk-php/src/Auth/AuthSchemeResolver.php(74): Aws\Auth\AuthSchemeResolver->isCompatibleAuthScheme('v4')
#26 vendor/aws/aws-sdk-php/src/Auth/AuthSelectionMiddleware.php(106): Aws\Auth\AuthSchemeResolver->selectAuthScheme(Array, Array)
#27 vendor/aws/aws-sdk-php/src/TraceMiddleware.php(98): Aws\Auth\AuthSelectionMiddleware->__invoke(Object(Aws\Command), NULL)
#28 vendor/aws/aws-sdk-php/src/Middleware.php(111): Aws\TraceMiddleware->{closure:{closure:Aws\TraceMiddleware::__invoke():84}:85}(Object(Aws\Command), NULL)
#29 vendor/aws/aws-sdk-php/src/TraceMiddleware.php(98): Aws\Middleware::{closure:{closure:Aws\Middleware::validation():94}:95}(Object(Aws\Command), NULL)
#30 vendor/aws/aws-sdk-php/src/IdempotencyTokenMiddleware.php(79): Aws\TraceMiddleware->{closure:{closure:Aws\TraceMiddleware::__invoke():84}:85}(Object(Aws\Command), NULL)
#31 vendor/aws/aws-sdk-php/src/AwsClientTrait.php(64): Aws\IdempotencyTokenMiddleware->__invoke(Object(Aws\Command))
#32 vendor/aws/aws-sdk-php/src/AwsClientTrait.php(58): Aws\AwsClient->executeAsync(Object(Aws\Command))
#33 vendor/aws/aws-sdk-php/src/AwsClientTrait.php(86): Aws\AwsClient->execute(Object(Aws\Command))
#34 check-aws.php(12): Aws\AwsClient->__call('getCallerIdenti...', Array)
#35 {main}

Next Aws\SSOOIDC\Exception\SSOOIDCException: Error executing "CreateToken" on "https://oidc.us-west-2.amazonaws.com/token"; AWS HTTP error: Client error: `POST https://oidc.us-west-2.amazonaws.com/token` resulted in a `400 Bad Request` response:
{"error":"invalid_grant","error_description":"Invalid refresh token provided"}
 InvalidGrantException (client):  - {"error":"invalid_grant","error_description":"Invalid refresh token provided"} in vendor/aws/aws-sdk-php/src/WrappedHttpHandler.php:196
Stack trace:
#0 vendor/aws/aws-sdk-php/src/WrappedHttpHandler.php(97): Aws\WrappedHttpHandler->parseError(Array, Object(GuzzleHttp\Psr7\Request), Object(Aws\Command), Array)
#1 vendor/guzzlehttp/promises/src/Promise.php(209): Aws\WrappedHttpHandler->{closure:Aws\WrappedHttpHandler::__invoke():95}(Array)
#2 vendor/guzzlehttp/promises/src/Promise.php(174): GuzzleHttp\Promise\Promise::callHandler(2, Array, NULL)
#3 vendor/guzzlehttp/promises/src/RejectedPromise.php(49): GuzzleHttp\Promise\Promise::{closure:GuzzleHttp\Promise\Promise::settle():172}(Array)
#4 vendor/guzzlehttp/promises/src/TaskQueue.php(52): GuzzleHttp\Promise\RejectedPromise::{closure:GuzzleHttp\Promise\RejectedPromise::then():45}()
#5 vendor/guzzlehttp/guzzle/src/Handler/CurlMultiHandler.php(167): GuzzleHttp\Promise\TaskQueue->run()
#6 vendor/guzzlehttp/guzzle/src/Handler/CurlMultiHandler.php(206): GuzzleHttp\Handler\CurlMultiHandler->tick()
#7 vendor/guzzlehttp/promises/src/Promise.php(251): GuzzleHttp\Handler\CurlMultiHandler->execute(true)
#8 vendor/guzzlehttp/promises/src/Promise.php(227): GuzzleHttp\Promise\Promise->invokeWaitFn()
#9 vendor/guzzlehttp/promises/src/Promise.php(272): GuzzleHttp\Promise\Promise->waitIfPending()
#10 vendor/guzzlehttp/promises/src/Promise.php(229): GuzzleHttp\Promise\Promise->invokeWaitList()
#11 vendor/guzzlehttp/promises/src/Promise.php(272): GuzzleHttp\Promise\Promise->waitIfPending()
#12 vendor/guzzlehttp/promises/src/Promise.php(229): GuzzleHttp\Promise\Promise->invokeWaitList()
#13 vendor/guzzlehttp/promises/src/Promise.php(69): GuzzleHttp\Promise\Promise->waitIfPending()
#14 vendor/aws/aws-sdk-php/src/AwsClientTrait.php(58): GuzzleHttp\Promise\Promise->wait()
#15 vendor/aws/aws-sdk-php/src/AwsClientTrait.php(86): Aws\AwsClient->execute(Object(Aws\Command))
#16 vendor/aws/aws-sdk-php/src/Token/SsoTokenProvider.php(169): Aws\AwsClient->__call('createToken', Array)
#17 vendor/aws/aws-sdk-php/src/Token/SsoTokenProvider.php(126): Aws\Token\SsoTokenProvider->refresh()
#18 [internal function]: Aws\Token\SsoTokenProvider->{closure:Aws\Token\SsoTokenProvider::__invoke():91}()
#19 vendor/guzzlehttp/promises/src/Coroutine.php(72): Generator->current()
#20 vendor/guzzlehttp/promises/src/Coroutine.php(83): GuzzleHttp\Promise\Coroutine->__construct(Object(Closure))
#21 vendor/aws/aws-sdk-php/src/Token/SsoTokenProvider.php(91): GuzzleHttp\Promise\Coroutine::of(Object(Closure))
#22 vendor/aws/aws-sdk-php/src/Credentials/CredentialProvider.php(971): Aws\Token\SsoTokenProvider->__invoke()
#23 vendor/aws/aws-sdk-php/src/Credentials/CredentialProvider.php(367): Aws\Credentials\CredentialProvider::getSsoCredentials(Array, 'profile xxx', '...', Array)
#24 vendor/aws/aws-sdk-php/src/Auth/AuthSchemeResolver.php(144): Aws\Credentials\CredentialProvider::{closure:Aws\Credentials\CredentialProvider::sso():351}()
#25 vendor/aws/aws-sdk-php/src/Auth/AuthSchemeResolver.php(104): Aws\Auth\AuthSchemeResolver->hasAwsCredentialIdentity()
#26 vendor/aws/aws-sdk-php/src/Auth/AuthSchemeResolver.php(74): Aws\Auth\AuthSchemeResolver->isCompatibleAuthScheme('v4')
#27 vendor/aws/aws-sdk-php/src/Auth/AuthSelectionMiddleware.php(106): Aws\Auth\AuthSchemeResolver->selectAuthScheme(Array, Array)
#28 vendor/aws/aws-sdk-php/src/TraceMiddleware.php(98): Aws\Auth\AuthSelectionMiddleware->__invoke(Object(Aws\Command), NULL)
#29 vendor/aws/aws-sdk-php/src/Middleware.php(111): Aws\TraceMiddleware->{closure:{closure:Aws\TraceMiddleware::__invoke():84}:85}(Object(Aws\Command), NULL)
#30 vendor/aws/aws-sdk-php/src/TraceMiddleware.php(98): Aws\Middleware::{closure:{closure:Aws\Middleware::validation():94}:95}(Object(Aws\Command), NULL)
#31 vendor/aws/aws-sdk-php/src/IdempotencyTokenMiddleware.php(79): Aws\TraceMiddleware->{closure:{closure:Aws\TraceMiddleware::__invoke():84}:85}(Object(Aws\Command), NULL)
#32 vendor/aws/aws-sdk-php/src/AwsClientTrait.php(64): Aws\IdempotencyTokenMiddleware->__invoke(Object(Aws\Command))
#33 vendor/aws/aws-sdk-php/src/AwsClientTrait.php(58): Aws\AwsClient->executeAsync(Object(Aws\Command))
#34 vendor/aws/aws-sdk-php/src/AwsClientTrait.php(86): Aws\AwsClient->execute(Object(Aws\Command))
#35 check-aws.php(12): Aws\AwsClient->__call('getCallerIdenti...', Array)
#36 {main}
  thrown in vendor/aws/aws-sdk-php/src/WrappedHttpHandler.php on line 196

[shadowhand]

@yenfryherrerafeliz log attached above. This was when my SSO session was expired.

After doing aws sso logout I get the same error as you. Now I am unsure where the MissingAuthenticationToken comes from, but I have definitely seen it.

[yenfryherrerafeliz]

@shadowhand, got it. Without the scenario that causes the issue is hard for me to help you. I tried different scenarios locally and I was unable to get this issue. I would say that, if you happen to see this error again feel free to reach out with the specific steps and I will be happy to address it.

Thank you!