Re-resolve SSO access token on each credential refresh instead of caching it at construction time#7097
Open
alextwoods wants to merge 3 commits into
Open
Re-resolve SSO access token on each credential refresh instead of caching it at construction time#7097alextwoods wants to merge 3 commits into
alextwoods wants to merge 3 commits into
Conversation
…hing it at construction time
810c829 to
e35f5fa
Compare
df6dd8c to
5f9d648
Compare
5f9d648 to
a49acc3
Compare
joviegas
approved these changes
Jul 2, 2026
| } catch (ExpiredTokenException e) { | ||
| throw e; | ||
| } catch (Exception e) { | ||
| throw ExpiredTokenException.builder() |
Contributor
There was a problem hiding this comment.
Can we add a Java doc explaining why any Exception is treated as ExpiredTokenException?
| @@ -31,6 +31,10 @@ | |||
| @SdkPublicApi | |||
| public final class ExpiredTokenException extends SdkClientException { | |||
|
|
|||
| public static final String DEFAULT_MESSAGE = | |||
Contributor
There was a problem hiding this comment.
can we make it private or package-private ?
|
|
||
| Validate.notNull(expiration, |
Contributor
There was a problem hiding this comment.
suggestion (non-blocking): When expiresAt is missing, this throws the same generic DEFAULT_MESSAGE as an expired token. The old code gave a specific message here: "The SSO session's expiration time could not be determined." Can we keep a distinct message for the expiresAt == null case so a malformed token file is easy to tell apart from an expired one.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Re-resolve SSO access token on each credential refresh in the SSOCredentialsProvider instead of caching it at construction time ensuring that refreshed tokens (for example from running
aws sso login) are always usedMotivation and Context
Fixes #3777
Currently we are incorrectly caching the token at construction time instead of refreshing it each time we perform a credentials refresh.
Modifications
Testing
New and existing test
Screenshots (if appropriate)
Types of changes
Checklist
mvn installsucceedsscripts/new-changescript and following the instructions. Commit the new file created by the script in.changes/next-releasewith your changes.License