[PR #47] [CLOSED] feat: support Enterprise Kiro IDE token refresh via AWS SSO OIDC #65

New issue

Closed

opened 2026-02-27 07:17:48 +03:00 by kerem · 0 comments

kerem commented

2026-02-27 07:17:48 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/jwadow/kiro-gateway/pull/47
Author: @somehow-paul
Created: 1/20/2026
Status: ❌ Closed

Base: main ← Head: feature/enterprise-kiro-ide-support

📝 Commits (1)

9c52803 feat: support Enterprise Kiro IDE token refresh via AWS SSO OIDC

📊 Changes

1 file changed (+66 additions, -28 deletions)

View changed files

📝 kiro/auth.py (+66 -28)

📄 Description

Summary

Add support for Enterprise Kiro IDE (IdC login) token refresh. Enterprise users authenticate via AWS IAM Identity Center, which requires a different token refresh mechanism than personal accounts.

Problem

Enterprise Kiro IDE users get 401 Bad credentials when the gateway tries to refresh tokens using the standard Kiro Desktop endpoint.

Solution

Detect enterprise credentials by checking for clientIdHash field
Load clientId and clientSecret from ~/.aws/sso/cache/{clientIdHash}.json
Use AWS SSO OIDC endpoint with JSON format for enterprise token refresh

Changes

Add _client_id_hash field to store enterprise client identifier
Add _load_enterprise_device_registration() method
Modify _do_aws_sso_oidc_refresh() to use JSON format for enterprise vs form-urlencoded for kiro-cli

Compatibility

Scenario	Impact
Personal Kiro IDE (Google/social login)	✅ No impact
Enterprise Kiro IDE (IdC login)	✅ Now supported
kiro-cli (SQLite)	✅ No impact

Testing

All 76 existing unit tests passed
Manually tested with Enterprise Kiro IDE credentials - token refresh successful

This fix was completed with the assistance of Kiro.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/jwadow/kiro-gateway/pull/47 **Author:** [@somehow-paul](https://github.com/somehow-paul) **Created:** 1/20/2026 **Status:** ❌ Closed **Base:** `main` ← **Head:** `feature/enterprise-kiro-ide-support` --- ### 📝 Commits (1) - [`9c52803`](https://github.com/jwadow/kiro-gateway/commit/9c5280356d6998d28f7eff128e7c078f55fc7ad2) feat: support Enterprise Kiro IDE token refresh via AWS SSO OIDC ### 📊 Changes **1 file changed** (+66 additions, -28 deletions) <details> <summary>View changed files</summary> 📝 `kiro/auth.py` (+66 -28) </details> ### 📄 Description ## Summary Add support for Enterprise Kiro IDE (IdC login) token refresh. Enterprise users authenticate via AWS IAM Identity Center, which requires a different token refresh mechanism than personal accounts. ## Problem Enterprise Kiro IDE users get `401 Bad credentials` when the gateway tries to refresh tokens using the standard Kiro Desktop endpoint. ## Solution 1. Detect enterprise credentials by checking for `clientIdHash` field 2. Load `clientId` and `clientSecret` from `~/.aws/sso/cache/{clientIdHash}.json` 3. Use AWS SSO OIDC endpoint with JSON format for enterprise token refresh ## Changes - Add `_client_id_hash` field to store enterprise client identifier - Add `_load_enterprise_device_registration()` method - Modify `_do_aws_sso_oidc_refresh()` to use JSON format for enterprise vs form-urlencoded for kiro-cli ## Compatibility | Scenario | Impact | |----------|--------| | Personal Kiro IDE (Google/social login) | ✅ No impact | | Enterprise Kiro IDE (IdC login) | ✅ Now supported | | kiro-cli (SQLite) | ✅ No impact | ## Testing - All 76 existing unit tests passed - Manually tested with Enterprise Kiro IDE credentials - token refresh successful --- This fix was completed with the assistance of Kiro. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>