fix: Skip Windows file permission test + add blog post and roadmap update

- Skip TestCacheFilePermissions on Windows (NTFS doesn't support Unix perms)
- Add changelog blog post for browser-based auth feature
- Update roadmap: mark browser-based auth milestone as shipped (PR #2148)
- Update auth initiative progress from 85% to 92%

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: Benbentwo

pkg/auth/identities/aws/webflow_test.go

@@ -11,6 +11,7 @@ import (
 	"net/url"
 	"os"
 	"path/filepath"
+	"runtime"
 	"testing"
 	"time"
 
@@ -717,6 +718,10 @@ func TestWebflowIntegration_AuthenticateFallback(t *testing.T) {
 }
 
 func TestCacheFilePermissions(t *testing.T) {
+	if runtime.GOOS == "windows" {
+		t.Skip("Windows does not support Unix file permissions")
+	}
+
 	tmpDir := t.TempDir()
 	t.Setenv("ATMOS_XDG_CACHE_HOME", tmpDir)
 

website/blog/2026-03-24-browser-based-auth-aws-user.mdx

@@ -0,0 +1,44 @@
+---
+slug: browser-based-auth-aws-user
+title: "Browser-Based Authentication for AWS IAM Users"
+authors: [atmos]
+tags: [feature]
+---
+
+Atmos now supports browser-based OAuth2 authentication as an automatic fallback for `aws/user` identities. When no static credentials or keychain entries are available, Atmos opens your browser for interactive sign-in using the same AWS console flow you already know.
+
+<!--truncate-->
+
+## What Changed
+
+The `aws/user` identity type gains a new third-tier authentication fallback. When YAML credentials and keychain credentials are both unavailable, Atmos automatically initiates an OAuth2 PKCE flow via the AWS signin service. This provides the same convenient web-based authentication that SSO users already enjoy, without requiring static access keys.
+
+The flow supports both interactive terminals (browser opens automatically with a spinner) and non-interactive environments (displays a URL for manual authentication).
+
+## How It Works
+
+No configuration is required. Browser authentication is enabled by default for all `aws/user` identities. When triggered, Atmos:
+
+1. Starts a local callback server on an ephemeral port
+2. Opens your browser to the AWS signin authorization endpoint
+3. Exchanges the authorization code for temporary credentials using PKCE
+4. Caches a refresh token for 12-hour session reuse
+
+Subsequent authentications within the 12-hour window reuse the cached refresh token, avoiding repeated browser prompts. Credentials refresh automatically every 15 minutes.
+
+```yaml
+# No changes needed - browser auth is enabled by default
+identities:
+  my-user:
+    kind: aws/user
+    # credentials:
+    #   webflow_enabled: false  # Set to false to disable browser auth
+```
+
+## Why This Matters
+
+Many teams are moving away from static IAM access keys for security reasons. Browser-based authentication eliminates the need to generate, store, and rotate long-lived credentials. Users authenticate with their existing AWS console credentials, and Atmos handles the rest.
+
+## Get Involved
+
+Have feedback on the browser authentication flow? Open an issue on [GitHub](https://github.com/cloudposse/atmos).