Skip to content

fix(auth): reload SQLite credentials before AWS SSO OIDC token refresh#22

Merged
jwadow merged 1 commit intojwadow:mainfrom
kilhyeonjun:fix/reload-sqlite-before-refresh
Jan 8, 2026
Merged

fix(auth): reload SQLite credentials before AWS SSO OIDC token refresh#22
jwadow merged 1 commit intojwadow:mainfrom
kilhyeonjun:fix/reload-sqlite-before-refresh

Conversation

@kilhyeonjun
Copy link
Copy Markdown
Contributor

@kilhyeonjun kilhyeonjun commented Jan 8, 2026

Problem

When kiro-cli refreshes tokens and updates the SQLite database, kiro-gateway continues using stale credentials from memory, causing 400 errors from AWS SSO OIDC endpoint.

Users had to manually restart the container after every kiro login.

Error Pattern

AWS SSO OIDC refresh failed: status=400
body={"error":"invalid_request","error_description":"Invalid request","reason":null}

Solution

Reload credentials from SQLite at the beginning of _refresh_token_aws_sso_oidc() to pick up fresh tokens after kiro-cli re-login.

Changes

  • kiro_gateway/auth.py: Add SQLite reload before token refresh (4 lines)
  • tests/unit/test_auth_manager.py: Add test for reload behavior

Related

Testing

  • New test added and passes
  • All existing tests pass (60 passed)

@kilhyeonjun
fix(auth): reload SQLite credentials before AWS SSO OIDC token refresh
d1d89ee 
When kiro-cli refreshes tokens and updates the SQLite database, kiro-gateway
was continuing to use stale credentials from memory, causing 400 errors from
AWS SSO OIDC endpoint.

This change reloads credentials from SQLite at the beginning of
_refresh_token_aws_sso_oidc() to pick up fresh tokens after kiro-cli re-login.

Related: jwadow#14
@cla-bot
Copy link
Copy Markdown

cla-bot bot commented Jan 8, 2026

Thanks for the PR! 🎉

Before merge, we need a one-time CLA confirmation.
It confirms that you have the right to contribute this code and allow the project to use it.

Full CLA text:
https://github.com/jwadow/kiro-gateway/blob/main/CLA.md

Please reply once with:

I have read the CLA and I accept its terms

@kilhyeonjun
Copy link
Copy Markdown
Contributor Author

kilhyeonjun commented Jan 8, 2026

I have read the CLA and I accept its terms

@kil-penguin
Copy link
Copy Markdown

kil-penguin commented Jan 8, 2026

@cla-bot check

@cla-bot
Copy link
Copy Markdown

cla-bot bot commented Jan 8, 2026

Thanks for the PR! 🎉

Before merge, we need a one-time CLA confirmation.
It confirms that you have the right to contribute this code and allow the project to use it.

Full CLA text:
https://github.com/jwadow/kiro-gateway/blob/main/CLA.md

Please reply once with:

I have read the CLA and I accept its terms

@cla-bot
Copy link
Copy Markdown

cla-bot bot commented Jan 8, 2026

The cla-bot has been summoned, and re-checked this pull request!

@kil-penguin
Copy link
Copy Markdown

kil-penguin commented Jan 8, 2026

I have read the CLA and I accept its terms

jwadow
jwadow reviewed Jan 8, 2026
View reviewed changes
Copy link
Copy Markdown
Owner

@jwadow jwadow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, good fix. The approach of reloading SQLite credentials before token refresh correctly handles the case where kiro-cli updates tokens while the gateway is running in a container.

Code is clean - reuses existing method, minimal changes, appropriate log level. Test covers the main scenario well.

One minor notee: sqlite3 and json imports are inside the test function rather than at the top of the file, which differs from the rest of the project. Not a blocker, just noting for consistency.

@jwadow
Copy link
Copy Markdown
Owner

jwadow commented Jan 8, 2026

@cla-bot check

@cla-bot cla-bot bot added the cla-signed Contributor License Agreement has been signed label Jan 8, 2026
@cla-bot
Copy link
Copy Markdown

cla-bot bot commented Jan 8, 2026

The cla-bot has been summoned, and re-checked this pull request!

@jwadow jwadow merged commit a15cb82 into jwadow:main Jan 8, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jwadow jwadow jwadow left review comments

Assignees

No one assigned

Labels

cla-signed Contributor License Agreement has been signed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kilhyeonjun @kil-penguin @jwadow