[V2] Add the OAuth Authorization Code Flow with PKCE (#8947)

This adds support for the OAuth2.0 authorization code flow with PKCE to the
aws sso login command. It is the new default behavior, but users can fall back to
the device code flow using the new --use-device-code option.

Author: ashovlin

.changes/next-release/feature-sso-81096.json

@@ -0,0 +1,5 @@
+{
+  "type": "feature",
+  "category": "``sso``",
+  "description": "Add support and default to the OAuth 2.0 Authorization Code Flow with PKCE for ``aws sso login``."
+}

awscli/botocore/exceptions.py

@@ -674,14 +674,18 @@ class SSOError(BotoCoreError):
 class PendingAuthorizationExpiredError(SSOError):
     fmt = (
         "The pending authorization to retrieve an SSO token has expired. The "
-        "device authorization flow to retrieve an SSO token must be restarted."
+        "login flow to retrieve an SSO token must be restarted."
     )
 
 
 class SSOTokenLoadError(SSOError):
     fmt = "Error loading SSO Token: {error_msg}"
 
 
+class AuthorizationCodeLoadError(SSOError):
+    fmt = "Error loading authorization code: {error_msg}"
+
+
 class UnauthorizedSSOTokenError(SSOError):
     fmt = (
         "The SSO session associated with this profile has expired or is "
@@ -690,6 +694,14 @@ class UnauthorizedSSOTokenError(SSOError):
     )
 
 
+class AuthCodeFetcherError(SSOError):
+    fmt = (
+        "Unable to initialize the OAuth 2.0 authorization callback handler: "
+        "{error_msg} \n You may use --use-device-code to fall back to the "
+        "device code flow which does not require the callback handler."
+    )
+
+
 class CapacityNotAvailableError(BotoCoreError):
     fmt = (
         'Insufficient request capacity available.'