From eab6b2fed572417fb74704c7c4dfcbd26cd8aaf3 Mon Sep 17 00:00:00 2001
From: Sichan Yoo <chanyoo@amazon.com>
Date: Mon, 11 May 2026 14:35:09 -0700
Subject: [PATCH 1/2] Add handling for oauth2.0 error_description field for SSO
 OIDC by adding handling to JSON deserializer & add unit test.

---
 .../lib/aws-sdk-core/json/error_handler.rb    |  2 +-
 .../spec/aws/json/error_handler_spec.rb       | 20 +++++++++++++++++++
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/gems/aws-sdk-core/lib/aws-sdk-core/json/error_handler.rb b/gems/aws-sdk-core/lib/aws-sdk-core/json/error_handler.rb
index 4385dba2a9d..bb9c76d8756 100644
--- a/gems/aws-sdk-core/lib/aws-sdk-core/json/error_handler.rb
+++ b/gems/aws-sdk-core/lib/aws-sdk-core/json/error_handler.rb
@@ -68,7 +68,7 @@ def error_message(code, json)
         if code == 'RequestEntityTooLarge'
           'Request body must be less than 1 MB'
         else
-          json['message'] || json['Message'] || ''
+          json['message'] || json['Message'] || json['error_description'] || ''
         end
       end
 
diff --git a/gems/aws-sdk-core/spec/aws/json/error_handler_spec.rb b/gems/aws-sdk-core/spec/aws/json/error_handler_spec.rb
index 1204333707f..df460b93003 100644
--- a/gems/aws-sdk-core/spec/aws/json/error_handler_spec.rb
+++ b/gems/aws-sdk-core/spec/aws/json/error_handler_spec.rb
@@ -38,6 +38,26 @@ module Json
         }
       JSON
 
+      let(:oauth2_error_resp) { <<~JSON.strip }
+        {
+          "__type":"Oauth2ErrorResponse",
+          "error_description":"foo"
+        }
+      JSON
+
+      it 'extracts oauth2 error message from error_description' do
+        client.stub_responses(
+          :batch_get_item,
+          { status_code: 400, body: oauth2_error_resp, headers: {} }
+        )
+
+        expect { client.batch_get_item(request_items: {}) }
+          .to raise_error do |e|
+          expect(e.code).to eq('Oauth2ErrorResponse')
+          expect(e.message).to eq('foo')
+        end
+      end
+
       it 'extracts error data' do
         client.stub_responses(
           :batch_get_item,

From dea4e64aa04f61045d44b90728dbe901c7a99e7c Mon Sep 17 00:00:00 2001
From: Sichan Yoo <chanyoo@amazon.com>
Date: Mon, 11 May 2026 14:59:47 -0700
Subject: [PATCH 2/2] Comment in deserializer change & CHANGELOG

---
 gems/aws-sdk-core/CHANGELOG.md                           | 1 +
 gems/aws-sdk-core/lib/aws-sdk-core/json/error_handler.rb | 1 +
 2 files changed, 2 insertions(+)

diff --git a/gems/aws-sdk-core/CHANGELOG.md b/gems/aws-sdk-core/CHANGELOG.md
index a1259ea6a31..1b5999804e0 100644
--- a/gems/aws-sdk-core/CHANGELOG.md
+++ b/gems/aws-sdk-core/CHANGELOG.md
@@ -1,6 +1,7 @@
 Unreleased Changes
 ------------------
 * Feature - Add YJIT & ZJIT tracking to user agent.
+* Issue - Fix error messaging in SSO OIDC.
 
 3.246.0 (2026-04-23)
 ------------------
diff --git a/gems/aws-sdk-core/lib/aws-sdk-core/json/error_handler.rb b/gems/aws-sdk-core/lib/aws-sdk-core/json/error_handler.rb
index bb9c76d8756..39993663dc7 100644
--- a/gems/aws-sdk-core/lib/aws-sdk-core/json/error_handler.rb
+++ b/gems/aws-sdk-core/lib/aws-sdk-core/json/error_handler.rb
@@ -68,6 +68,7 @@ def error_message(code, json)
         if code == 'RequestEntityTooLarge'
           'Request body must be less than 1 MB'
         else
+          # SSO OIDC returns error message in error_description, following OAuth 2.0 spec.
           json['message'] || json['Message'] || json['error_description'] || ''
         end
       end