Skip to content

fix(auth): retry on 401 invalid_client by reloading device registration from SQLite#116

Open
KenEzekiel wants to merge 1 commit intojwadow:mainfrom
KenEzekiel:fix/retry-401-invalid-client-on-sqlite-reload
Open

fix(auth): retry on 401 invalid_client by reloading device registration from SQLite#116
KenEzekiel wants to merge 1 commit intojwadow:mainfrom
KenEzekiel:fix/retry-401-invalid-client-on-sqlite-reload

Conversation

@KenEzekiel
Copy link
Copy Markdown

@KenEzekiel KenEzekiel commented Mar 29, 2026

Problem

When kiro-cli login is run while the gateway container is already running, the device registration (client_id/client_secret) in SQLite gets rotated. The gateway's in-memory credentials become stale.

Previously, only HTTP 400 (invalid_grant — stale refresh_token) triggered a SQLite reload and retry. But a rotated device registration returns HTTP 401 (invalid_client — stale client_secret), which was not caught — causing permanent auth failure until the container was restarted.

Error sequence observed:

  1. First refresh attempt → 401 invalid_client (stale client_secret in memory)
  2. Gateway does not retry → raises ValueError → returns HTTP 500 to clients
  3. All subsequent requests also fail with 500

Fix

  • _refresh_token_aws_sso_oidc(): now retries on both 400 and 401 by reloading all credentials (token + device registration) from SQLite
  • get_access_token() graceful degradation: also handles 401 in the fallback path
  • Added test for the 401 retry scenario
  • Updated docstrings and existing test descriptions

Testing

  • Added test_refresh_token_aws_sso_oidc_retries_on_401_invalid_client — verifies 401 triggers SQLite reload and successful retry
  • Existing 500 non-retry test still passes (only 400/401 are retried)

@KenEzekiel
fix(auth): retry on 401 invalid_client by reloading device registrati…
3b38169 
…on from SQLite

When kiro-cli re-login rotates device registration (client_id/client_secret),
the gateway's in-memory credentials become stale. Previously only 400
(invalid_grant) triggered a SQLite reload and retry. Now 401 (invalid_client)
also triggers the same recovery path, reloading both token and device
registration from SQLite before retrying.

This prevents permanent auth failure requiring a container restart after
kiro-cli re-login.
@cla-bot
Copy link
Copy Markdown

cla-bot bot commented Mar 29, 2026

Thanks for the PR! 🎉

Before merge, we need a one-time CLA confirmation.
It confirms that you have the right to contribute this code and allow the project to use it.

Full CLA text:
https://github.com/jwadow/kiro-gateway/blob/main/CLA.md

Please reply once with:

I have read the CLA and I accept its terms

You need to write once, all further messages from me can be ignored.

@KenEzekiel
Copy link
Copy Markdown
Author

KenEzekiel commented Mar 29, 2026

I have read the CLA and I accept its terms

@KenEzekiel
Copy link
Copy Markdown
Author

KenEzekiel commented Mar 31, 2026

Thanks for the PR! 🎉

Before merge, we need a one-time CLA confirmation. It confirms that you have the right to contribute this code and allow the project to use it.

Full CLA text: https://github.com/jwadow/kiro-gateway/blob/main/CLA.md

Please reply once with:

I have read the CLA and I accept its terms

You need to write once, all further messages from me can be ignored.

I have read the CLA and I accept its terms

@KenEzekiel
Copy link
Copy Markdown
Author

KenEzekiel commented Apr 1, 2026

I have read the CLA and I accept its terms

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@KenEzekiel