Skip to content

feat(kiro): support native external_idp refresh token import and validation#2615

Open
apirJS wants to merge 1 commit into
decolua:masterfrom
apirJS:fix/kiro-external-idp
Open

feat(kiro): support native external_idp refresh token import and validation#2615
apirJS wants to merge 1 commit into
decolua:masterfrom
apirJS:fix/kiro-external-idp

Conversation

@apirJS

@apirJS apirJS commented Jul 14, 2026

Copy link
Copy Markdown

Previously, Microsoft Entra ID (external_idp) users lacked a seamless authentication path in Kiro:

  • The standard "Import Token" route (POST /api/oauth/kiro/import) strictly validated against AWS OIDC endpoints, rejecting external_idp refresh tokens due to missing enterprise metadata (profile_arn, token_endpoint).
  • The fallback import-cli-proxy route bypassed token validation entirely, relying on the user to manually construct a complex JSON payload combining SSO cache data and local IDE state.

This commit resolves these limitations by introducing native backend support for external_idp refresh tokens, fully respecting existing controller patterns:

  1. Unified SSO Cache Resolution: Extracted AWS SSO cache discovery logic into a shared utility (kiroSsoCache.js), allowing targeted refresh token lookups.
  2. Native Token Validation: Upgraded KiroService.refreshToken to support native external_idp validation by pinging the Microsoft token endpoint directly, matching the architecture of the background refresh worker.
  3. Controller Interception: The "Import Token" route now dynamically intercepts external_idp refresh tokens, extracts the hidden enterprise metadata from the local filesystem, and passes it into KiroService.refreshToken for standard validation.

Enterprise users can now submit a refresh token via the Import Token UI. The backend resolves the required metadata, validates the token against the Microsoft endpoint, and establishes the connection without requiring UI redirects or manual JSON construction.

@apirJS apirJS force-pushed the fix/kiro-external-idp branch 4 times, most recently from d08ab38 to 18511e4 Compare July 14, 2026 16:31
@apirJS apirJS changed the title fix(kiro): support external_idp (Microsoft Entra) token import feat(kiro): support external_idp (Microsoft Entra) token auto-import Jul 14, 2026
…dation

Previously, Microsoft Entra ID (external_idp) users lacked a seamless authentication path in Kiro:
- The standard "Import Token" route (POST /api/oauth/kiro/import) strictly validated against AWS OIDC endpoints, rejecting external_idp refresh tokens due to missing enterprise metadata (profile_arn, token_endpoint).
- The fallback import-cli-proxy route bypassed token validation entirely, relying on the user to manually construct a complex JSON payload combining SSO cache data and local IDE state.

This commit resolves these limitations by introducing native backend support for external_idp refresh tokens, fully respecting existing controller patterns:

1. Unified SSO Cache Resolution: Extracted AWS SSO cache discovery logic into a shared utility (kiroSsoCache.js), allowing targeted refresh token lookups.
2. Native Token Validation: Upgraded KiroService.refreshToken to support native external_idp validation by pinging the Microsoft token endpoint directly, matching the architecture of the background refresh worker.
3. Controller Interception: The "Import Token" route now dynamically intercepts external_idp refresh tokens, extracts the hidden enterprise metadata from the local filesystem, and passes it into KiroService.refreshToken for standard validation.

Enterprise users can now submit a refresh token via the Import Token UI. The backend resolves the required metadata, validates the token against the Microsoft endpoint, and establishes the connection without requiring UI redirects or manual JSON construction.
@apirJS apirJS force-pushed the fix/kiro-external-idp branch from 18511e4 to da0b468 Compare July 14, 2026 16:54
@apirJS apirJS changed the title feat(kiro): support external_idp (Microsoft Entra) token auto-import feat(kiro): support native external_idp refresh token import and validation Jul 14, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant