Fix case where user can never login to Builder ID again

Author: rli

plugins/core/jetbrains-community/src/software/aws/toolkits/jetbrains/core/credentials/ToolkitAuthManager.kt

@@ -89,6 +89,7 @@ interface ToolkitStartupAuthFactory {
 }
 
 interface ToolkitConnectionManager : Disposable {
+    @Deprecated("Fragile API. Probably leads to unexpected behavior. Use only for toolkit explorer dropdown state.", ReplaceWith("activeConnectionForFeature(feature)"))
     fun activeConnection(): ToolkitConnection?
 
     fun activeConnectionForFeature(feature: FeatureWithPinnedConnection): ToolkitConnection?
@@ -122,14 +123,15 @@ fun loginSso(
     metadata: ConnectionMetadata? = null
 ): AwsBearerTokenConnection? {
     val source = metadata
-    fun createAndAuthNewConnection(profile: AuthProfile): AwsBearerTokenConnection? {
+    fun createAndAuthNewConnection(isReAuth: Boolean, profile: AuthProfile): AwsBearerTokenConnection? {
         val authManager = ToolkitAuthManager.getInstance()
         val connection = try {
             authManager.tryCreateTransientSsoConnection(profile) { transientConnection ->
                 reauthConnectionIfNeeded(
                     project = project,
                     connection = transientConnection,
                     onPendingToken = onPendingToken,
+                    isReAuth = isReAuth
                 )
             }
         } catch (e: Exception) {
@@ -149,7 +151,8 @@ fun loginSso(
 
     val manager = ToolkitAuthManager.getInstance()
     val allScopes = requestedScopes.toMutableSet()
-    return manager.getConnection(connectionId)?.let { connection ->
+    var isReAuth = false
+    val connection = manager.getConnection(connectionId)?.let { connection ->
         val logger = getLogger<ToolkitAuthManager>()
 
         if (connection !is AwsBearerTokenConnection) {
@@ -167,32 +170,28 @@ fun loginSso(
                 """.trimIndent()
             }
             // can't reuse since requested scopes are not in current connection. forcing reauth
-            return createAndAuthNewConnection(
-                ManagedSsoProfile(
-                    region,
-                    startUrl,
-                    allScopes.toList()
-                )
-            )
+            return@let null
         }
 
         // For the case when the existing connection is in invalid state, we need to re-auth
-        reauthConnectionIfNeeded(
-            project = project,
-            connection = connection,
-            isReAuth = true
-        )
+        isReAuth = true
+        return@let null
+    }
+
+    // never true?
+    if (connection != null) {
         return connection
-    } ?: run {
-        // No existing connection, start from scratch
-        createAndAuthNewConnection(
-            ManagedSsoProfile(
-                region,
-                startUrl,
-                allScopes.toList()
-            )
-        )
     }
+
+    // No existing connection, start from scratch
+    return createAndAuthNewConnection(
+        isReAuth = isReAuth,
+        ManagedSsoProfile(
+            region,
+            startUrl,
+            allScopes.toList()
+        )
+    )
 }
 
 @Suppress("UnusedParameter")

plugins/core/jetbrains-community/src/software/aws/toolkits/jetbrains/core/webview/LoginBrowser.kt

@@ -220,6 +220,8 @@ abstract class LoginBrowser(
             Login
                 .BuilderId(scopes, onPendingToken, onError, onSuccess)
                 .login(project)
+
+            // TODO refresh the pane here for case when provider is no-op (i.e. provider exists and has a valid token), to fix issue where user is stuck waiting for browser
         }
     }