From c655efa326bfb8a66b8046f1e6fb7d0c48087866 Mon Sep 17 00:00:00 2001
From: Sami Jaktholm <sjakthol@outlook.com>
Date: Thu, 23 May 2024 00:04:57 +0300
Subject: [PATCH] fix: sso credential resolution failure when sso-session
 access token requires a refresh (#4443)

This commit fixes an issue which caused the SSO credentials provider to
fail to resolve credentials if a cached access token associated with an
sso-session required a refresh.

Reason for the issue is that SSOTokenProvider.load() skips token refresh
if another refresh had been kicked off within the last 30 seconds. In
this case, SSOTokenProvider.load() was called twice when credentials
were being resolved: once from SSOTokenProvider constructor (via .get())
and second time from SsoCredentials.getToken() method.

If the access token on disk had expired, the first call to
SSOTokenProvider.load() from SSOTokenProvider constructor kicked off
a token refresh. When SsoCredentials.getToken() called
SSOTokenProvider.load() again immediately, SSOTokenProvider would skip
the token refresh and invoke the SsoCredentials.getToken() callback
without having a valid token.

Because of this, SsoCredentials did not get a valid SSO access token
from SSOTokenProvider and it could not fetch AWS credential from AWS
IAM Identity Center.

Loading the SSO access token with SSOTokenProvider.get() instead of
SSOTokenProvider.load() fixes the issue as SSOTokenProvider.get()
tracks the calls to .get(), triggers the load just once and invokes
all the callbacks when the new token is available.

This way SsoCredentials.getToken() will receive a valid access token
once the initial load kicked off by the SSOTokenProvider constructor
completes and SsoCredentials can use the refreshed token to fetch AWS
credentials from AWS IAM Identity Center.

Fixes #4441
---
 .changes/next-release/bugfix-SSO-4dba7ee8.json | 5 +++++
 lib/credentials/sso_credentials.js             | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)
 create mode 100644 .changes/next-release/bugfix-SSO-4dba7ee8.json

diff --git a/.changes/next-release/bugfix-SSO-4dba7ee8.json b/.changes/next-release/bugfix-SSO-4dba7ee8.json
new file mode 100644
index 0000000000..3f50124673
--- /dev/null
+++ b/.changes/next-release/bugfix-SSO-4dba7ee8.json
@@ -0,0 +1,5 @@
+{
+  "type": "bugfix",
+  "category": "SSO",
+  "description": "fix sso credential resolution failure when sso-session access token requires a refresh"
+}
\ No newline at end of file
diff --git a/lib/credentials/sso_credentials.js b/lib/credentials/sso_credentials.js
index 741bca0d4b..3b8e3aabb6 100644
--- a/lib/credentials/sso_credentials.js
+++ b/lib/credentials/sso_credentials.js
@@ -176,7 +176,7 @@ AWS.SsoCredentials = AWS.util.inherit(AWS.Credentials, {
       var ssoTokenProvider = new AWS.SSOTokenProvider({
         profile: profileName,
       });
-      ssoTokenProvider.load(function (err) {
+      ssoTokenProvider.get(function (err) {
         if (err) {
           return callback(err);
         }