fixes a token refresh issue due to the SSO region not being set

common-fate · Mar 4, 2024 · 5affe20 · 5affe20
1 parent e0b9ef5
commit 5affe20
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 0 deletions.
diff --git a/pkg/cfaws/assumer_aws_sso.go b/pkg/cfaws/assumer_aws_sso.go
@@ -194,6 +194,9 @@ func (c *Profile) SSOLogin(ctx context.Context, configOpts ConfigOpts) (aws.Cred
 			cmd += " --sso-region " + region
 		}
 
+		// if the token exists but is invalid, attempt to clear it so that next login works.
+		secureSSOTokenStorage.ClearSSOToken(ssoTokenKey)
+
 		return aws.Credentials{}, fmt.Errorf("error when retrieving credentials from custom process. please login using '%s'", cmd)
 	}
 

diff --git a/pkg/idclogin/run.go b/pkg/idclogin/run.go
@@ -94,6 +94,7 @@ func Login(ctx context.Context, cfg aws.Config, startUrl string, scopes []string
 		ClientSecret:          *client.ClientSecret,
 		RegistrationExpiresAt: time.Unix(client.ClientSecretExpiresAt, 0),
 		RefreshToken:          token.RefreshToken,
+		Region:                cfg.Region,
 	}
 
 	return &result, nil

diff --git a/pkg/securestorage/sso_token_storage.go b/pkg/securestorage/sso_token_storage.go
@@ -34,6 +34,7 @@ type SSOToken struct {
 	ClientID              string    `json:"clientId,omitempty"`
 	ClientSecret          string    `json:"clientSecret,omitempty"`
 	RegistrationExpiresAt time.Time `json:"registrationExpiresAt,omitempty"`
+	Region                string    `json:"region,omitempty"`
 	RefreshToken          *string   `json:"refreshToken,omitempty"`
 }
 
@@ -72,6 +73,16 @@ func (s *SSOTokensSecureStorage) GetValidSSOToken(ctx context.Context, profileKe
 		return nil
 	}
 
+	if t.Region == "" {
+		// if the region is not set, the AWS SSO OIDC client will make an invalid API call and will return an
+		// 'InvalidGrantException' error.
+		clio.Errorf("existing token had no SSO region set")
+		// token is invalid
+		return nil
+	}
+
+	cfg.Region = t.Region
+
 	client := ssooidc.NewFromConfig(cfg)
 
 	res, err := client.CreateToken(ctx, &ssooidc.CreateTokenInput{
@@ -93,6 +104,7 @@ func (s *SSOTokensSecureStorage) GetValidSSOToken(ctx context.Context, profileKe
 		ClientSecret:          t.ClientSecret,          // same as the previous token, because the same client was used to refresh
 		RegistrationExpiresAt: t.RegistrationExpiresAt, // same as the previous token, because the same client was used to refresh
 		RefreshToken:          res.RefreshToken,
+		Region:                t.Region,
 	}
 
 	// save the refreshed token to secure storage