Skip to content

refactor: single-window IDC auth with JSON API and token selection fixes #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
kfiramar wants to merge 9 commits into
base: master
Choose a base branch
from
Open

refactor: single-window IDC auth with JSON API and token selection fixes #1

kfiramar wants to merge 9 commits into from

Conversation

@kfiramar
Copy link
Owner

@kfiramar kfiramar commented Feb 3, 2026
edited
Loading

Problem

  • IDC auth UX was multi-window and frequently surfaced generic "Authentication failed" instead of the actual cause.
  • OIDC polling and device-authorization edge cases produced confusing failures (invalid request vs expired device code).
  • Placeholder @awsapps.local accounts from Kiro CLI sync (and stale tokens) could be selected, leading to 403 AccessDeniedException ("bearer token is invalid").
  • OpenCode "connected" state didn’t reliably reflect successful auth because auth.loader returned an empty apiKey.

What Changed (User-facing)

  • Single browser window for IDC auth with defaults prefilled; code + "Open Browser" shown immediately, AWS verification opens only on click.
  • Auth failures now show the real underlying error message (not a generic failure page).
  • Provider connection indicator can reflect stored credentials after successful auth.
  • Account selection avoids placeholder accounts when a real-email account exists.

What Changed (Implementation)

  • Auth UI + server endpoints:
    • GET / serves a combined page for Start URL + Region + Begin + code + status polling (src/plugin/auth-page.ts).
    • GET /begin returns JSON { verificationUrl, verificationUriComplete, userCode, region } and triggers server-side token polling (src/plugin/server.ts).
    • /status includes message aliasing error; /error?message=... is parsed and rendered correctly.
  • Start URL + Region handling:
    • Start URL is normalized to origin + /start and can follow redirects to canonical *.awsapps.com portal hosts (src/kiro/oauth-idc.ts).
    • Region is editable in the auth window; validation accepts standard AWS region strings and config schema is no longer limited to a fixed allowlist (src/plugin/config/schema.ts).
  • IDC token polling correctness:
    • Polling request formatting/headers aligned with AWS expectations (reduces immediate "Invalid request" failures) (src/plugin/server.ts).
  • Account + token correctness (403 reduction):
    • Prefer non-placeholder accounts when real-email accounts exist (src/plugin/accounts.ts).
    • After successful auth, the new account is saved and immediately injected into the in-memory AccountManager so subsequent requests don’t keep using stale tokens (src/core/auth/auth-handler.ts, src/core/auth/idc-auth-method.ts).
    • Kiro CLI sync prevents refresh-token uniqueness collisions by deleting placeholders before inserting real-email accounts (src/plugin/sync/kiro-cli.ts).
  • Connected indicator:
    • auth.loader returns apiKey derived from stored auth so OpenCode UI can display connected (src/plugin.ts).
  • Thinking variants:
    • Low/medium/high mapping plus backward-compatible max support (src/core/request/thinking.ts, src/core/request/request-handler.ts, README.md).

Tests

  • npm test
  • npm run typecheck

Notable Behavior Changes / Risks

  • /begin is now JSON (breaking for any consumers relying on it as an HTML navigation endpoint).
  • Account selection order changes when placeholder accounts exist; intended to reduce invalid-bearer 403s.

kfiramar and others added 9 commits February 2, 2026 20:15
@kfiramar
fix(config): inject kiro provider baseURL
7801c59
@kfiramar
test: cover kiro baseURL injection
fd34362
@kfiramar @sisyphus-dev-ai
fix(kiro, auth, request): align CodeWhisperer requests, improve regio…
839e840 
…n handling and sync

- Remove modelId/tools from CodeWhisperer request shape for alignment
- Base region handling on profileArn with regex extraction
- Improve sync operations and refresh token handling
- Add account cleanup and profileArn from state
- Enhance request error logging
- Inject fetch into provider options
- Add IDC region handling module

Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-opencode)

Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>
@kfiramar
feat(kiro): improve IDC auth flow and request handling
e04fdca
@chiyema
feat: add new Kiro model mappings and fix existing IDs
5db4447 
- Fix claude-haiku-4-5 model ID to use correct backend format
- Add claude-haiku-4-5-thinking, claude-sonnet-4-5-1m, claude-sonnet-4-5-1m-thinking
- Add non-Claude models: nova-swe, gpt-oss-120b, qwen3-coder-480b, minimax-m2, kimi-k2-thinking
- Rename model aliases for cleaner naming (remove date suffixes)
- Update README with new model examples
@tickernelz
Merge pull request tickernelz#21 from chiyema/feat/add-new-model-mapp…
d69d8b6 
…ings
@tickernelz
chore(deps): bump version to 1.5.2
ef00ebd
@kfiramar
Merge branch 'tickernelz:master' into feat/idc-auth-single-window
eac423b
@kfiramar
fix(sqlite): recover from orphaned WAL/SHM sidecars and retry on I/O …
4916106 
…error
@kfiramar kfiramar force-pushed the feat/idc-auth-single-window branch from cdd6b9f to 4916106 Compare February 3, 2026 07:43
@kfiramar kfiramar changed the title Feat/idc auth single window refactor: single-window IDC auth with JSON API and token selection fixes Feb 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kfiramar @chiyema @tickernelz