Describe the feature
I would like to propose a feature that allows specifying a fixed callback port for the PKCE callback server used by aws sso login.
For example:
aws sso login --redirect-port 34535
When specified, the PKCE callback server would listen on the given port and use:
http://127.0.0.1:34535/oauth/callback
as the redirect_uri instead of selecting a random available port.
When the option is not specified, the current behavior of automatically selecting an available port would remain unchanged.
Use Case
I frequently run aws sso login on remote environments accessed over SSH.
While --use-device-code is available as a workaround, I would prefer to continue using the default PKCE-based login flow.
The PKCE flow provides a more streamlined browser experience and requires fewer manual interactions. In contrast, the device code flow requires entering a verification code and following a different authentication process.
The main issue is that the PKCE callback server uses a randomly selected localhost port, which makes it difficult to prepare SSH local port forwarding ahead of time.
For example, I would like to configure:
ssh -L 34535:127.0.0.1:34535 remote-host
and then use the standard aws sso login flow over that tunnel.
A fixed callback port would allow SSH users to keep using the default PKCE experience while retaining the ability to preconfigure SSH port forwarding.
Proposed Solution
Add a new option to allow users to specify the callback port used by the local PKCE callback server.
Example:
aws sso login --redirect-port 34535
If the specified port is unavailable, the command could fail with an appropriate error message rather than automatically selecting a different port.
This would provide deterministic behavior for SSH tunnels and remote development environments while preserving the current behavior when the option is not specified.
Other Information
The current workaround is:
aws sso login --use-device-code
While this works, it requires additional manual steps in the browser, including entering a verification code.
A fixed callback port would allow users to continue using the default PKCE-based login flow when working over SSH, rather than switching to a different authentication experience.
Related issue:
This request focuses specifically on allowing a fixed callback port.
Additionally, it might be useful to support configuring the callback port through ~/.aws/config (for example, at the sso-session level) so that users who consistently work in remote environments do not need to specify the option every time.
For example:
[sso-session my-sso]
sso_redirect_port = 34535
Acknowledgements
CLI version used
aws-cli/2.34.24 Python/3.13.13 Darwin/25.5.0 source/arm64
Environment details (OS name and version, etc.)
OS: macOS 26.5.1 (Build 25F80), Architecture: arm64 (Apple Silicon)
Describe the feature
I would like to propose a feature that allows specifying a fixed callback port for the PKCE callback server used by
aws sso login.For example:
When specified, the PKCE callback server would listen on the given port and use:
as the
redirect_uriinstead of selecting a random available port.When the option is not specified, the current behavior of automatically selecting an available port would remain unchanged.
Use Case
I frequently run
aws sso loginon remote environments accessed over SSH.While
--use-device-codeis available as a workaround, I would prefer to continue using the default PKCE-based login flow.The PKCE flow provides a more streamlined browser experience and requires fewer manual interactions. In contrast, the device code flow requires entering a verification code and following a different authentication process.
The main issue is that the PKCE callback server uses a randomly selected localhost port, which makes it difficult to prepare SSH local port forwarding ahead of time.
For example, I would like to configure:
and then use the standard
aws sso loginflow over that tunnel.A fixed callback port would allow SSH users to keep using the default PKCE experience while retaining the ability to preconfigure SSH port forwarding.
Proposed Solution
Add a new option to allow users to specify the callback port used by the local PKCE callback server.
Example:
If the specified port is unavailable, the command could fail with an appropriate error message rather than automatically selecting a different port.
This would provide deterministic behavior for SSH tunnels and remote development environments while preserving the current behavior when the option is not specified.
Other Information
The current workaround is:
While this works, it requires additional manual steps in the browser, including entering a verification code.
A fixed callback port would allow users to continue using the default PKCE-based login flow when working over SSH, rather than switching to a different authentication experience.
Related issue:
This request focuses specifically on allowing a fixed callback port.
Additionally, it might be useful to support configuring the callback port through
~/.aws/config(for example, at thesso-sessionlevel) so that users who consistently work in remote environments do not need to specify the option every time.For example:
Acknowledgements
CLI version used
aws-cli/2.34.24 Python/3.13.13 Darwin/25.5.0 source/arm64
Environment details (OS name and version, etc.)
OS: macOS 26.5.1 (Build 25F80), Architecture: arm64 (Apple Silicon)