[PR #22] [MERGED] fix(auth): reload SQLite credentials before AWS SSO OIDC token refresh #57

New issue

Closed

opened 2026-02-27 07:17:45 +03:00 by kerem · 0 comments

kerem commented

2026-02-27 07:17:45 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/jwadow/kiro-gateway/pull/22
Author: @kilhyeonjun
Created: 1/8/2026
Status: ✅ Merged
Merged: 1/8/2026
Merged by: @jwadow

Base: main ← Head: fix/reload-sqlite-before-refresh

📝 Commits (1)

d1d89ee fix(auth): reload SQLite credentials before AWS SSO OIDC token refresh

📊 Changes

2 files changed (+107 additions, -1 deletions)

View changed files

📝 kiro_gateway/auth.py (+5 -0)
📝 tests/unit/test_auth_manager.py (+102 -1)

📄 Description

Problem

When kiro-cli refreshes tokens and updates the SQLite database, kiro-gateway continues using stale credentials from memory, causing 400 errors from AWS SSO OIDC endpoint.

Users had to manually restart the container after every kiro login.

Error Pattern

AWS SSO OIDC refresh failed: status=400
body={"error":"invalid_request","error_description":"Invalid request","reason":null}

Solution

Reload credentials from SQLite at the beginning of _refresh_token_aws_sso_oidc() to pick up fresh tokens after kiro-cli re-login.

Changes

kiro_gateway/auth.py: Add SQLite reload before token refresh (4 lines)
tests/unit/test_auth_manager.py: Add test for reload behavior

Addresses #14
Improvement on closed #17 (keeps correct form-urlencoded format)

Testing

New test added and passes
All existing tests pass (60 passed)

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/jwadow/kiro-gateway/pull/22 **Author:** [@kilhyeonjun](https://github.com/kilhyeonjun) **Created:** 1/8/2026 **Status:** ✅ Merged **Merged:** 1/8/2026 **Merged by:** [@jwadow](https://github.com/jwadow) **Base:** `main` ← **Head:** `fix/reload-sqlite-before-refresh` --- ### 📝 Commits (1) - [`d1d89ee`](https://github.com/jwadow/kiro-gateway/commit/d1d89eefcb7f4a435bc86e26d2429099917a3ec6) fix(auth): reload SQLite credentials before AWS SSO OIDC token refresh ### 📊 Changes **2 files changed** (+107 additions, -1 deletions) <details> <summary>View changed files</summary> 📝 `kiro_gateway/auth.py` (+5 -0) 📝 `tests/unit/test_auth_manager.py` (+102 -1) </details> ### 📄 Description ## Problem When kiro-cli refreshes tokens and updates the SQLite database, kiro-gateway continues using stale credentials from memory, causing 400 errors from AWS SSO OIDC endpoint. Users had to manually restart the container after every `kiro login`. ### Error Pattern ``` AWS SSO OIDC refresh failed: status=400 body={"error":"invalid_request","error_description":"Invalid request","reason":null} ``` ## Solution Reload credentials from SQLite at the beginning of `_refresh_token_aws_sso_oidc()` to pick up fresh tokens after kiro-cli re-login. ## Changes - `kiro_gateway/auth.py`: Add SQLite reload before token refresh (4 lines) - `tests/unit/test_auth_manager.py`: Add test for reload behavior ## Related - Addresses #14 - Improvement on closed #17 (keeps correct form-urlencoded format) ## Testing - [x] New test added and passes - [x] All existing tests pass (60 passed) --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>