Skip to content

fix(auth): reload SQLite credentials before token refresh#17

Closed
bhaskoro-muthohar wants to merge 2 commits into
jwadow:mainfrom
bhaskoro-muthohar:fix/reload-sqlite-credentials-on-refresh
Closed

fix(auth): reload SQLite credentials before token refresh#17
bhaskoro-muthohar wants to merge 2 commits into
jwadow:mainfrom
bhaskoro-muthohar:fix/reload-sqlite-credentials-on-refresh

Conversation

@bhaskoro-muthohar

@bhaskoro-muthohar bhaskoro-muthohar commented Jan 7, 2026

Copy link
Copy Markdown
Contributor

Problem

When using AWS SSO OIDC with kiro-cli, the gateway caches credentials at startup. If the user re-logs in via kiro-cli (e.g., after SSO token expiration), the new refresh_token is written to SQLite but the gateway keeps using the stale cached token, causing authentication failures.

This requires manually restarting the gateway after every kiro-cli re-login, which is inconvenient.

Solution

Re-read credentials from SQLite before attempting a token refresh in _refresh_token_aws_sso_oidc(). This ensures the gateway picks up fresh tokens after kiro-cli re-login without requiring a restart.

Changes

  • Added 3 lines to _refresh_token_aws_sso_oidc() to reload credentials from SQLite before refresh

Testing

  • All 59 existing auth manager tests pass
  • Manually verified SQLite reading works correctly

@cla-bot

cla-bot Bot commented Jan 7, 2026

Copy link
Copy Markdown

Thank you for your pull request and welcome to our community. We could not parse the GitHub identity of the following contributors: PTN 677.
This is most likely caused by a git client misconfiguration; please make sure to:

  1. check if your git client is configured with an email to sign commits git config --list | grep email
  2. If not, set it up using git config --global user.email email@example.com
  3. Make sure that the git commit email is configured in your GitHub account settings, see https://github.com/settings/emails

@bhaskoro-muthohar bhaskoro-muthohar force-pushed the fix/reload-sqlite-credentials-on-refresh branch from 66881c7 to dbef53f Compare January 7, 2026 08:43
@cla-bot

cla-bot Bot commented Jan 7, 2026

Copy link
Copy Markdown

Thanks for the PR! 🎉

Before merge, we need a one-time CLA confirmation.
It confirms that you have the right to contribute this code and allow the project to use it.

Full CLA text:
https://github.com/jwadow/kiro-openai-gateway/blob/main/CLA.md

Please reply with:

I have read the CLA and I accept its terms

@bhaskoro-muthohar
fix(auth): reload SQLite credentials before token refresh
345a585 
When using AWS SSO OIDC with kiro-cli, the gateway caches credentials
at startup. If the user re-logs in via kiro-cli, the new refresh_token
is written to SQLite but the gateway keeps using the stale cached token,
causing auth failures.

This fix re-reads credentials from SQLite before attempting a token
refresh, ensuring the gateway picks up fresh tokens after kiro-cli
re-login without requiring a gateway restart.
@bhaskoro-muthohar bhaskoro-muthohar force-pushed the fix/reload-sqlite-credentials-on-refresh branch from dbef53f to 345a585 Compare January 7, 2026 08:44
@cla-bot

cla-bot Bot commented Jan 7, 2026

Copy link
Copy Markdown

Thanks for the PR! 🎉

Before merge, we need a one-time CLA confirmation.
It confirms that you have the right to contribute this code and allow the project to use it.

Full CLA text:
https://github.com/jwadow/kiro-openai-gateway/blob/main/CLA.md

Please reply with:

I have read the CLA and I accept its terms

@bhaskoro-muthohar

bhaskoro-muthohar commented Jan 7, 2026

Copy link
Copy Markdown
Contributor Author

I have read the CLA and I accept its terms

@bhaskoro-muthohar
fix(auth): use JSON body with camelCase for AWS SSO OIDC refresh
eaa07e8 
The AWS SSO OIDC /token endpoint expects JSON body with camelCase keys,
not form-urlencoded with snake_case. This was causing 400 invalid_request
errors when the gateway tried to refresh tokens.

Changes:
- Use JSON body instead of form-urlencoded
- Use camelCase keys (grantType, clientId, clientSecret, refreshToken)
- Update tests to match new format
@cla-bot

cla-bot Bot commented Jan 7, 2026

Copy link
Copy Markdown

Thanks for the PR! 🎉

Before merge, we need a one-time CLA confirmation.
It confirms that you have the right to contribute this code and allow the project to use it.

Full CLA text:
https://github.com/jwadow/kiro-openai-gateway/blob/main/CLA.md

Please reply with:

I have read the CLA and I accept its terms

@jwadow

jwadow commented Jan 7, 2026

Copy link
Copy Markdown
Owner

@cla-bot check

@cla-bot cla-bot Bot added the cla-signed Contributor License Agreement has been signed label Jan 7, 2026
@cla-bot

cla-bot Bot commented Jan 7, 2026

Copy link
Copy Markdown

The cla-bot has been summoned, and re-checked this pull request!

@kilhyeonjun kilhyeonjun mentioned this pull request Jan 8, 2026
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

cla-signed Contributor License Agreement has been signed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bhaskoro-muthohar @jwadow