feat(kiro): support native external_idp refresh token import and validation#2615
Open
apirJS wants to merge 1 commit into
Open
feat(kiro): support native external_idp refresh token import and validation#2615apirJS wants to merge 1 commit into
apirJS wants to merge 1 commit into
Conversation
d08ab38 to
18511e4
Compare
…dation Previously, Microsoft Entra ID (external_idp) users lacked a seamless authentication path in Kiro: - The standard "Import Token" route (POST /api/oauth/kiro/import) strictly validated against AWS OIDC endpoints, rejecting external_idp refresh tokens due to missing enterprise metadata (profile_arn, token_endpoint). - The fallback import-cli-proxy route bypassed token validation entirely, relying on the user to manually construct a complex JSON payload combining SSO cache data and local IDE state. This commit resolves these limitations by introducing native backend support for external_idp refresh tokens, fully respecting existing controller patterns: 1. Unified SSO Cache Resolution: Extracted AWS SSO cache discovery logic into a shared utility (kiroSsoCache.js), allowing targeted refresh token lookups. 2. Native Token Validation: Upgraded KiroService.refreshToken to support native external_idp validation by pinging the Microsoft token endpoint directly, matching the architecture of the background refresh worker. 3. Controller Interception: The "Import Token" route now dynamically intercepts external_idp refresh tokens, extracts the hidden enterprise metadata from the local filesystem, and passes it into KiroService.refreshToken for standard validation. Enterprise users can now submit a refresh token via the Import Token UI. The backend resolves the required metadata, validates the token against the Microsoft endpoint, and establishes the connection without requiring UI redirects or manual JSON construction.
18511e4 to
da0b468
Compare
7 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Previously, Microsoft Entra ID (external_idp) users lacked a seamless authentication path in Kiro:
This commit resolves these limitations by introducing native backend support for external_idp refresh tokens, fully respecting existing controller patterns:
Enterprise users can now submit a refresh token via the Import Token UI. The backend resolves the required metadata, validates the token against the Microsoft endpoint, and establishes the connection without requiring UI redirects or manual JSON construction.