Skip to content

Commit 9bba857

Browse files
committed
Merge 'fix/yg/sso-refresh-token' into 'master'
fix: align sso token refresh semantics See merge request: !66
2 parents 42a5926 + 586bb9c commit 9bba857

4 files changed

Lines changed: 810 additions & 83 deletions

File tree

README.EN.MD

Lines changed: 95 additions & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -95,7 +95,7 @@ To invoke the service, you must provide AK, SK, and region. These parameters can
9595
#### Other Operations of the configure Command
9696
9797
1. After configuring a profile using the Volcengine CLI 'configure' command, the CLI will prioritize the authentication information within the profile for API request signing.
98-
2. After a profile is added or modified, the default profile used in the current configuration will be switched to the newly added or modified profile.
98+
2. After a regular AK profile is added or modified with `ve configure set`, the default profile used in the current configuration will be switched to that profile. `ve configure sso` does not automatically switch the current profile; after creating an SSO profile, run `ve configure profile --profile [profile name]` if you want business commands to use it by default.
9999
3. If multiple profiles exist, use 've configure profile --profile [configuration name]' to switch before invoking the interface to ensure correct usage.
100100
101101
###### Retrieve specified profile configuration information
@@ -157,85 +157,155 @@ When deleting a configuration, the profile field must be specified to indicate t
157157
158158
If the configuration to be deleted is currently in use, then after successful deletion, Volcano Engine CLI will attempt to randomly select one of the remaining configurations as the new current configuration.
159159
160-
#### SSO Session Management
160+
#### SSO Quick Start
161161
162-
###### Configure SSO Session (configure sso-session)
162+
SSO uses two layers of configuration: `sso-session` stores the enterprise SSO entry point (Start URL, Region, and Scopes), while an SSO profile stores the selected account and role binding. For first-time setup, follow this order:
163+
164+
```shell
165+
# 1. Create an SSO session. registration-scopes can be omitted; press Enter at the prompt to use the default
166+
ve configure sso-session --name my-sso --start-url https://{custom}.volccloudidentity.com/userportal --region cn-beijing
167+
168+
# 2. Create an SSO profile, complete device authorization, and select an account and role
169+
ve configure sso --profile my-dev --sso-session my-sso
170+
171+
# 3. Switch the current default profile to the SSO profile you just created
172+
ve configure profile --profile my-dev
173+
174+
# 4. Run business commands normally; the CLI refreshes STS temporary credentials when needed
175+
ve [service] [action] [params]
176+
```
177+
178+
Note: `ve configure sso` writes the SSO profile but does not automatically change the current default profile. If you skip step 3, business commands will continue using the previous current profile.
179+
180+
#### SSO Command Relationships
181+
182+
| Command | When to use it | What it does | Switches current profile |
183+
| --- | --- | --- | --- |
184+
| `ve configure sso-session` | Usually once per SSO entry point | Stores Start URL, Region, and Scopes; reusable by multiple SSO profiles | No |
185+
| `ve configure sso` | Once per account + role combination | Links an SSO session, performs first authorization, selects account and role, and writes an SSO profile | No |
186+
| `ve configure profile --profile [profile name]` | When business commands should use a profile by default | Switches the current default profile | Yes |
187+
| `ve sso login` | When prompted to log in again, or when you want to refresh the SSO login state explicitly | Runs device authorization again and caches the access token | No |
188+
| `ve sso logout` | When logging out of one or all SSO sessions | Revokes cached tokens, removes token cache, and clears STS temporary credentials | No |
189+
190+
#### Configure SSO Session (configure sso-session)
163191
164192
```shell
165193
ve configure sso-session --name [session name] --start-url [SSO Start URL] --region [region] --registration-scopes [scope1,scope2]
166194
```
167195
168-
This command creates or updates an SSO session for later use with `configure sso`. Behaviors and parameters:
196+
This command creates or updates an SSO session for later use with `ve configure sso`. Parameters:
169197
170198
```shell
171199
name: SSO session name; if omitted, enter interactive selection/creation mode
172-
start-url: SSO Start URL; required. Format: your sign-in URL with the `/userportal` suffix, for example `https://{custom}.volccloudidentity.com/userportal`. If editing an existing session, press Enter to keep the default
173-
region: SSO region; required; default is cn-beijing, existing session values are used as defaults
174-
registration-scopes: SSO scope list (comma-separated); allowed values are cloudidentity:account:access, offline_access
200+
start-url: SSO Start URL; required. Format: your sign-in URL with the /userportal suffix, for example https://{custom}.volccloudidentity.com/userportal. When editing an existing session, press Enter to keep the default
201+
region: SSO region; default is cn-beijing. When editing an existing session, press Enter to keep the default
202+
registration-scopes: SSO scope list (comma-separated); optional, default cloudidentity:account:access,offline_access; allowed values are only cloudidentity:account:access and offline_access
175203
```
176204
177205
Interactive flow notes:
178206
- If no sessions exist, you will be prompted to enter a non-empty session name
179207
- If sessions exist, you get a searchable list with “<Create new session>” to add one
180208
- When editing, Start URL, Region, and Scopes are pre-filled; press Enter to keep defaults
181-
- Scopes are deduplicated and validated; empty input falls back to cloudidentity:account:access, offline_access
209+
- Scopes are trimmed, deduplicated, and validated; empty input falls back to the default scopes
182210
183-
###### Configure SSO Profile (configure sso)
211+
#### Configure SSO Profile (configure sso)
184212
185213
```shell
186-
ve configure sso --profile [profile name] --sso-session [session name]
214+
ve configure sso --profile [profile name] --sso-session [session name] [--no-browser]
187215
```
188216
189-
This command configures an SSO profile, links an SSO session, runs the device authorization flow, and writes the profile to ~/.volcengine/config.json. Behaviors and parameters:
217+
This command creates or updates an SSO profile. It links an SSO session, runs the device authorization flow, lists accounts and roles for selection, and writes `mode=sso`, `sso-session-name`, `account-id`, `role-name`, and `region` to `~/.volcengine/config.json`.
218+
219+
Parameters:
190220
191221
```shell
192-
profile: profile name; empty uses {sso-role-name}-{sso-account-id} as the default
222+
profile: profile name; if omitted, you can press Enter and the default becomes {sso-role-name}-{sso-account-id}
193223
sso-session: SSO session name; if omitted, enter interactive selection/creation mode
194-
no-browser: Adding the `--no-browser` parameter to the command line disables the browser from opening; omitting it will automatically open the browser by default.
224+
no-browser: add --no-browser to disable automatically opening the browser, useful on servers without a GUI
195225
```
196226
197227
Notes:
198-
- If the profile already exists and is not an SSO profile, the command will refuse to overwrite it
199-
- If the SSO session does not exist, you will be guided to create it and enter Start URL, Region, and Scopes
228+
- If the profile already exists and is not an SSO profile, the command refuses to overwrite it
229+
- If the specified SSO session does not exist, you will be guided to create it and enter Start URL, Region, and Scopes
230+
- `configure sso` completes first authorization and account/role selection, but does not switch the current default profile; run `ve configure profile --profile [profile name]` when needed
231+
- To switch accounts or roles, run `ve configure sso --profile [profile name] --sso-session [session name]` again
232+
233+
#### Daily Login, Auto-Refresh, and Logout
200234
235+
##### Business Command Auto-Refresh
201236
202-
#### SSO Login and Logout
237+
When the current default profile is an SSO profile, business commands automatically check and refresh STS temporary credentials:
238+
- If the profile's `session-token` has not expired, it is reused
239+
- If STS credentials are missing or expired, the CLI uses the cached SSO access token plus the profile's `account-id` / `role-name` to request new STS credentials and writes them back to the profile
240+
- If the SSO access token is expired or close to expiry, the CLI only attempts a silent refresh with refresh_token; business commands do not automatically open a browser
241+
- If no access token is cached, refresh_token is missing, client registration has expired, or refresh fails, the business command asks you to run `ve sso login`
203242
204243
##### SSO Login (sso login)
205244
206245
```shell
207246
ve sso login --profile [profile name]
208247
# or
209248
ve sso login --sso-session [session name]
249+
# or omit arguments and let the CLI auto-select or prompt from configured sso-sessions
250+
ve sso login
210251
```
211252
212-
This command logs in via SSO, obtains an access token, and caches it. Parameters:
253+
`ve sso login` explicitly logs in to SSO again. It runs device authorization and caches a new access token. In line with AWS SSO login semantics, each execution re-authenticates the current SSO session and does not silently exchange an existing refresh_token for an access token.
254+
255+
Parameters:
213256
214257
```shell
215258
profile: the SSO profile to use; must exist, be of sso type, and have sso-session configured
216259
sso-session: the SSO session to use; the session must exist and be valid
217-
no-browser: Adding the `--no-browser` parameter to the command line disables the browser from opening; omitting it will automatically open the browser by default.
260+
no-browser: add --no-browser to disable automatically opening the browser
218261
```
219262
220263
Login behavior:
221264
- If neither profile nor sso-session is provided: error when no sessions are configured; use the only session if one exists; otherwise enter interactive selection with search
265+
- `sso login` does not reselect account/role; account and role come from `account-id` / `role-name` written by `ve configure sso`
222266
- Only the device code flow is supported; use `--no-browser` to disable auto-opening the browser
223267
224268
##### SSO Logout (sso logout)
225269
226270
```shell
227271
ve sso logout --sso-session [session name]
272+
# or omit arguments and let the CLI auto-select or prompt from configured sso-sessions
273+
ve sso logout
228274
```
229275
230-
This command logs out from SSO by revoking the cached token and clearing local credentials. Parameters:
276+
`ve sso logout` logs out of the SSO login state. With `--sso-session`, it logs out of that session. Without it, the command errors when no sessions are configured, logs out of the only session when exactly one exists, or opens a searchable selection list when multiple sessions exist. The selection list also includes “All SSO sessions” for batch logout.
231277
232-
```shell
233-
sso-session: the SSO session name to log out
234-
```
278+
Logout does:
279+
- Revoke the cached refresh token for the SSO session, if present
280+
- Delete the SSO session token cache
281+
- Clear STS temporary credential fields from linked SSO profiles: `access-key`, `secret-key`, `session-token`, `sts-expiration`
282+
283+
Logout does not:
284+
- Delete SSO profiles
285+
- Delete sso-session configuration
286+
- Clear `account-id` / `role-name` from profiles
287+
288+
After logout, run `ve sso login` to keep using the same account and role. Run `ve configure sso` again only when switching accounts or roles.
289+
290+
#### SSO FAQ
291+
292+
- Business commands still use the old account after `ve configure sso`. What should I do?
293+
Run `ve configure profile --profile [profile name]` to switch the current default profile. `configure sso` writes a profile but does not automatically change the current profile.
294+
295+
- When do I need to run `ve sso login`?
296+
The first `ve configure sso` already completes authorization. Daily business commands reuse or silently refresh credentials. Run `ve sso login` only when the CLI asks you to log in again, or when you want to refresh the SSO login state explicitly.
297+
298+
- Why does `ve sso login` open the authorization flow every time?
299+
This is explicit login behavior: each run performs device authorization again and does not silently complete login with an existing refresh_token.
300+
301+
- How do I switch accounts or roles?
302+
Run `ve configure sso --profile [profile name] --sso-session [session name]` again, then select the account and role from the interactive lists.
303+
304+
- How do I log in on a machine without a graphical browser?
305+
Add `--no-browser` to `ve configure sso` or `ve sso login`, then complete authorization in a browser using the URL printed by the CLI.
235306
236-
Logout behavior:
237-
- If sso-session is not provided: error when no sessions are configured; logout the only session if one exists; otherwise enter interactive selection that includes “All SSO sessions”
238-
- Batch logout logs out each session and returns aggregated errors on failure
307+
- What should I enter for Scopes?
308+
Usually nothing. The default is `cloudidentity:account:access,offline_access`. If you enter scopes manually, only `cloudidentity:account:access` and `offline_access` are allowed; the CLI deduplicates and validates them.
239309
240310
#### Configure Auto-Completion
241311

0 commit comments

Comments
 (0)