fix(sso): preserve refresh tokens on service-faults #2925

Problem:
Eager cache eviction drops refresh tokens on potentially recoverable faults.

Solution:
Don't eagerly evict tokens.

Author: JadenSimon

src/credentials/sso/ssoAccessTokenProvider.ts

@@ -8,7 +8,7 @@ import globals from '../../shared/extensionGlobals'
 import { SSOOIDCServiceException } from '@aws-sdk/client-sso-oidc'
 import { openSsoPortalLink, SsoToken, ClientRegistration, isExpired, SsoProfile } from './model'
 import { getCache } from './cache'
-import { hasProps, selectFrom } from '../../shared/utilities/tsUtils'
+import { hasProps, RequiredProps, selectFrom } from '../../shared/utilities/tsUtils'
 import { CancellationError } from '../../shared/utilities/timeoutUtils'
 import { OidcClient } from './clients'
 import { loadOr } from '../../shared/utilities/cacheUtils'
@@ -72,16 +72,16 @@ export class SsoAccessTokenProvider {
             return data?.token
         }
 
-        await this.invalidate()
-
-        if (data.registration && !isExpired(data.registration)) {
+        if (data.registration && !isExpired(data.registration) && hasProps(data.token, 'refreshToken')) {
             const refreshed = await this.refreshToken(data.token, data.registration)
 
             if (refreshed) {
                 await this.cache.token.save(this.tokenCacheKey, refreshed)
             }
 
             return refreshed?.token
+        } else {
+            await this.invalidate()
         }
     }
 
@@ -99,21 +99,27 @@ export class SsoAccessTokenProvider {
 
         try {
             return await this.authorize(registration)
-        } catch (error) {
-            if (error instanceof SSOOIDCServiceException && isClientFault(error)) {
+        } catch (err) {
+            if (err instanceof SSOOIDCServiceException && isClientFault(err)) {
                 this.cache.registration.clear(cacheKey)
             }
 
-            throw error
+            throw err
         }
     }
 
-    private async refreshToken(token: SsoToken, registration: ClientRegistration) {
-        if (hasProps(token, 'refreshToken')) {
+    private async refreshToken(token: RequiredProps<SsoToken, 'refreshToken'>, registration: ClientRegistration) {
+        try {
             const clientInfo = selectFrom(registration, 'clientId', 'clientSecret')
             const response = await this.oidc.createToken({ ...clientInfo, ...token, grantType: REFRESH_GRANT_TYPE })
 
             return this.formatToken(response, registration)
+        } catch (err) {
+            if (err instanceof SSOOIDCServiceException && isClientFault(err)) {
+                this.cache.token.clear(this.tokenCacheKey)
+            }
+
+            throw err
         }
     }
 

src/test/credentials/sso/ssoAccessTokenProvider.test.ts

@@ -124,6 +124,36 @@ describe('SsoAccessTokenProvider', function () {
             const cachedToken = await cache.token.load(startUrl).then(a => a?.token)
             assert.strictEqual(cachedToken, undefined)
         })
+
+        describe('Exceptions', function () {
+            it('drops expired tokens if failure was a client-fault', async function () {
+                const exception = new UnauthorizedClientException({ message: '', $metadata: {} })
+                when(oidcClient.createToken(anything())).thenReject(exception)
+
+                const refreshableToken = createToken(-HOUR_IN_MS, { refreshToken: 'refreshToken' })
+                const validRegistation = createRegistration(HOUR_IN_MS)
+                const access = { region, startUrl, token: refreshableToken, registration: validRegistation }
+                await cache.token.save(startUrl, access)
+                await assert.rejects(sut.getToken())
+
+                const cachedToken = await cache.token.load(startUrl)
+                assert.strictEqual(cachedToken, undefined)
+            })
+
+            it('preserves expired tokens if failure was not a client-fault', async function () {
+                const exception = new InternalServerException({ message: '', $metadata: {} })
+                when(oidcClient.createToken(anything())).thenReject(exception)
+
+                const refreshableToken = createToken(-HOUR_IN_MS, { refreshToken: 'refreshToken' })
+                const validRegistation = createRegistration(HOUR_IN_MS)
+                const access = { region, startUrl, token: refreshableToken, registration: validRegistation }
+                await cache.token.save(startUrl, access)
+                await assert.rejects(sut.getToken())
+
+                const cachedToken = await cache.token.load(startUrl).then(a => a?.token)
+                assert.deepStrictEqual(cachedToken, refreshableToken)
+            })
+        })
     })
 
     describe('createToken', function () {