Skip to content

fix(auth): reload SQLite credentials before token refresh#17

Closed
bhaskoro-muthohar wants to merge 2 commits intojwadow:mainfrom
bhaskoro-muthohar:fix/reload-sqlite-credentials-on-refresh
Closed

fix(auth): reload SQLite credentials before token refresh#17
bhaskoro-muthohar wants to merge 2 commits intojwadow:mainfrom
bhaskoro-muthohar:fix/reload-sqlite-credentials-on-refresh

Conversation

@bhaskoro-muthohar
Copy link
Copy Markdown
Contributor

@bhaskoro-muthohar bhaskoro-muthohar commented Jan 7, 2026

Problem

When using AWS SSO OIDC with kiro-cli, the gateway caches credentials at startup. If the user re-logs in via kiro-cli (e.g., after SSO token expiration), the new refresh_token is written to SQLite but the gateway keeps using the stale cached token, causing authentication failures.

This requires manually restarting the gateway after every kiro-cli re-login, which is inconvenient.

Solution

Re-read credentials from SQLite before attempting a token refresh in _refresh_token_aws_sso_oidc(). This ensures the gateway picks up fresh tokens after kiro-cli re-login without requiring a restart.

Changes

  • Added 3 lines to _refresh_token_aws_sso_oidc() to reload credentials from SQLite before refresh

Testing

  • All 59 existing auth manager tests pass
  • Manually verified SQLite reading works correctly

@cla-bot
Copy link
Copy Markdown

cla-bot bot commented Jan 7, 2026

Thank you for your pull request and welcome to our community. We could not parse the GitHub identity of the following contributors: PTN 677.
This is most likely caused by a git client misconfiguration; please make sure to:

  1. check if your git client is configured with an email to sign commits git config --list | grep email
  2. If not, set it up using git config --global user.email [email protected]
  3. Make sure that the git commit email is configured in your GitHub account settings, see https://github.com/settings/emails

@bhaskoro-muthohar bhaskoro-muthohar force-pushed the fix/reload-sqlite-credentials-on-refresh branch from 66881c7 to dbef53f Compare January 7, 2026 08:43
@cla-bot
Copy link
Copy Markdown

cla-bot bot commented Jan 7, 2026

Thanks for the PR! 🎉

Before merge, we need a one-time CLA confirmation.
It confirms that you have the right to contribute this code and allow the project to use it.

Full CLA text:
https://github.com/jwadow/kiro-openai-gateway/blob/main/CLA.md

Please reply with:

I have read the CLA and I accept its terms

@bhaskoro-muthohar
fix(auth): reload SQLite credentials before token refresh
345a585 
When using AWS SSO OIDC with kiro-cli, the gateway caches credentials
at startup. If the user re-logs in via kiro-cli, the new refresh_token
is written to SQLite but the gateway keeps using the stale cached token,
causing auth failures.

This fix re-reads credentials from SQLite before attempting a token
refresh, ensuring the gateway picks up fresh tokens after kiro-cli
re-login without requiring a gateway restart.
@bhaskoro-muthohar bhaskoro-muthohar force-pushed the fix/reload-sqlite-credentials-on-refresh branch from dbef53f to 345a585 Compare January 7, 2026 08:44
@cla-bot
Copy link
Copy Markdown

cla-bot bot commented Jan 7, 2026

Thanks for the PR! 🎉

Before merge, we need a one-time CLA confirmation.
It confirms that you have the right to contribute this code and allow the project to use it.

Full CLA text:
https://github.com/jwadow/kiro-openai-gateway/blob/main/CLA.md

Please reply with:

I have read the CLA and I accept its terms

@bhaskoro-muthohar
Copy link
Copy Markdown
Contributor Author

bhaskoro-muthohar commented Jan 7, 2026

I have read the CLA and I accept its terms

@bhaskoro-muthohar
fix(auth): use JSON body with camelCase for AWS SSO OIDC refresh
eaa07e8 
The AWS SSO OIDC /token endpoint expects JSON body with camelCase keys,
not form-urlencoded with snake_case. This was causing 400 invalid_request
errors when the gateway tried to refresh tokens.

Changes:
- Use JSON body instead of form-urlencoded
- Use camelCase keys (grantType, clientId, clientSecret, refreshToken)
- Update tests to match new format
@cla-bot
Copy link
Copy Markdown

cla-bot bot commented Jan 7, 2026

Thanks for the PR! 🎉

Before merge, we need a one-time CLA confirmation.
It confirms that you have the right to contribute this code and allow the project to use it.

Full CLA text:
https://github.com/jwadow/kiro-openai-gateway/blob/main/CLA.md

Please reply with:

I have read the CLA and I accept its terms

@jwadow
Copy link
Copy Markdown
Owner

jwadow commented Jan 7, 2026

@cla-bot check

@cla-bot cla-bot bot added the cla-signed Contributor License Agreement has been signed label Jan 7, 2026
@cla-bot
Copy link
Copy Markdown

cla-bot bot commented Jan 7, 2026

The cla-bot has been summoned, and re-checked this pull request!

@kilhyeonjun kilhyeonjun mentioned this pull request Jan 8, 2026
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

cla-signed Contributor License Agreement has been signed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bhaskoro-muthohar @jwadow