Skip to content

Re-resolve SSO access token on each credential refresh instead of caching it at construction time#7097

Open
alextwoods wants to merge 3 commits into
masterfrom
alexwoo/fix_sso_token_refresh
Open

Re-resolve SSO access token on each credential refresh instead of caching it at construction time#7097
alextwoods wants to merge 3 commits into
masterfrom
alexwoo/fix_sso_token_refresh

Conversation

@alextwoods

@alextwoods alextwoods commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Re-resolve SSO access token on each credential refresh in the SSOCredentialsProvider instead of caching it at construction time ensuring that refreshed tokens (for example from running aws sso login) are always used

Motivation and Context

Fixes #3777

Currently we are incorrectly caching the token at construction time instead of refreshing it each time we perform a credentials refresh.

Modifications

  • Move token resolution into the supplier.
  • Unify invalid token exception handling.

Testing

New and existing test

Screenshots (if appropriate)

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)

Checklist

  • I have read the CONTRIBUTING document
  • Local run of mvn install succeeds
  • My code follows the code style of this project
  • My change requires a change to the Javadoc documentation
  • I have updated the Javadoc documentation accordingly
  • I have added tests to cover my changes
  • All new and existing tests passed
  • I have added a changelog entry. Adding a new entry must be accomplished by running the scripts/new-change script and following the instructions. Commit the new file created by the script in .changes/next-release with your changes.
  • My change is to implement 1.11 parity feature and I have updated LaunchChangelog

License

  • I confirm that this pull request can be released under the Apache 2 license

@alextwoods alextwoods requested a review from a team as a code owner July 2, 2026 19:32
@alextwoods alextwoods force-pushed the alexwoo/fix_sso_token_refresh branch from 810c829 to e35f5fa Compare July 2, 2026 19:38
@alextwoods alextwoods force-pushed the alexwoo/fix_sso_token_refresh branch from df6dd8c to 5f9d648 Compare July 2, 2026 20:38
@alextwoods alextwoods force-pushed the alexwoo/fix_sso_token_refresh branch from 5f9d648 to a49acc3 Compare July 2, 2026 20:48
@alextwoods alextwoods added the no-api-surface-area-change Indicate there is no API surface area change and thus API surface area review is not required label Jul 2, 2026
@alextwoods alextwoods requested a review from joviegas July 2, 2026 21:32
} catch (ExpiredTokenException e) {
throw e;
} catch (Exception e) {
throw ExpiredTokenException.builder()

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we add a Java doc explaining why any Exception is treated as ExpiredTokenException?

@@ -31,6 +31,10 @@
@SdkPublicApi
public final class ExpiredTokenException extends SdkClientException {

public static final String DEFAULT_MESSAGE =

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we make it private or package-private ?


Validate.notNull(expiration,

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion (non-blocking): When expiresAt is missing, this throws the same generic DEFAULT_MESSAGE as an expired token. The old code gave a specific message here: "The SSO session's expiration time could not be determined." Can we keep a distinct message for the expiresAt == null case so a malformed token file is easy to tell apart from an expired one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

no-api-surface-area-change Indicate there is no API surface area change and thus API surface area review is not required

Projects

None yet

Development

Successfully merging this pull request may close these issues.

SSO OIDC access token may expire while application is running

2 participants