v1.1.0

What's New

Silent Token Refresh - No more browser popups every hour!

This release uses the AWS SSO OIDC API to silently refresh your access tokens using the stored refresh token. The browser only opens when your Identity Center session has truly expired.

Features

• Silent refresh using aws sso-oidc create-token with refresh_token grant type
• Smart fallback - only opens browser when refresh token is expired/invalid
• Session tracking - shows when browser re-auth will be needed in status output
• New config option - AWS_SSO_SESSION_DURATION for accurate re-auth estimates

Example Status Output

AWS SSO Sessions:

  ✓ my-sso  55m remaining  (browser re-auth in 7h 55m)

Configuration

Set your Identity Center session duration for accurate estimates:

export AWS_SSO_SESSION_DURATION=8  # Default: 8 hours

v1.0.3

What's Changed

New Features

• Configurable check interval: Control how often the daemon checks your SSO sessions with AWS_SSO_REFRESH_INTERVAL (default: 10 minutes, min: 1, max: 60)
• Environment variables are now passed through to the LaunchAgent, allowing dynamic configuration updates

Improvements

• Added validation for both AWS_SSO_REFRESH_THRESHOLD and AWS_SSO_REFRESH_INTERVAL values
• Status display now reads the actual interval from the plist file
• Help text updated with examples for both configuration options

Example Usage

# Set aggressive refresh settings (check every 5 minutes, refresh 5m before expiry)
export AWS_SSO_REFRESH_THRESHOLD=5
export AWS_SSO_REFRESH_INTERVAL=5

# Reinstall daemon to apply settings
aws-sso-refresh uninstall
aws-sso-refresh install

This is useful when working with AWS SSO tokens that have shorter expiration times (like the default 1-hour sessions).

Full Changelog: v1.0.2...v1.0.3

v1.0.2

Bug Fixes

• Fixed UTC timezone parsing in iso_to_epoch function - The function was incorrectly interpreting ISO 8601 timestamps (ending in Z) as local time instead of UTC. This caused the script to miscalculate token expiry times by your timezone offset, making it think tokens were valid when they had actually expired.

Details

On macOS (BSD date), stripping the Z suffix and passing the timestamp to date would interpret it as local time. The fix sets TZ=UTC explicitly when parsing:

# Before (wrong - interprets as local time)
date -j -f "%Y-%m-%dT%H:%M:%S" "$clean_time" "+%s"

# After (correct - interprets as UTC)
TZ=UTC date -j -f "%Y-%m-%dT%H:%M:%S" "$clean_time" "+%s"

This bug affected users in any non-UTC timezone, causing the refresh threshold to be off by their UTC offset (e.g., 5 hours for EST, 8 hours for PST).

v1.0.1

aws-sso-refresh v1.0.1

Bug fix release.

Fixed

• Help output now properly displays colors and formatting (was showing raw escape codes)
• Daemon status detection now works correctly (fixed SIGPIPE issue with pipefail)

Installation

Homebrew:

brew upgrade jhubbardsf/aws-sso-refresh/aws-sso-refresh

Manual:

curl -fsSL https://raw.githubusercontent.com/jhubbardsf/aws-sso-refresh/main/install.sh | bash

v1.0.0

aws-sso-refresh v1.0.0

Initial release! Automatic AWS SSO session refresh daemon for macOS.

Features

• Proactively refreshes SSO sessions before they expire
• Background daemon via launchd (runs every 10 minutes)
• CLI commands: status, install, uninstall, logs, help
• Configurable refresh threshold (default: 30 minutes)

Installation

Homebrew:

brew install jhubbardsf/aws-sso-refresh/aws-sso-refresh

Manual:

curl -fsSL https://raw.githubusercontent.com/jhubbardsf/aws-sso-refresh/main/install.sh | bash

Usage

aws-sso-refresh status    # Check session status
aws-sso-refresh install   # Enable background daemon
aws-sso-refresh logs      # View refresh log