Skip to content

[Credential Cache Pr 2/3] Enable static stability for STS, Container, SSO, and Login credential providers#7031

Open
alextwoods wants to merge 2 commits into
feature/master/credential_cachefrom
alexwoo/credential_cache_pr2
Open

[Credential Cache Pr 2/3] Enable static stability for STS, Container, SSO, and Login credential providers#7031
alextwoods wants to merge 2 commits into
feature/master/credential_cachefrom
alexwoo/credential_cache_pr2

Conversation

@alextwoods

@alextwoods alextwoods commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

This PR merges to feature/master/credential_cache, NOT to master
[Credential Cache Pr 2/3].

Motivation and Context

This is part 2 of 3 implementing the cross-SDK Credential Refresh Behavior SEP. With the CachedSupplier ALLOW behavior established in PR 1, this PR switches the relevant credential providers to use it — so that refresh failures return cached credentials instead of propagating exceptions to callers.

Additionally, this PR wraps non-recoverable authentication errors (expired SSO tokens, changed Login passwords) in CacheInvalidatingException so they bypass static stability and are immediately surfaced to the user.

PR chain: PR 1: CachedSupplier ALLOW engine → PR 2 (this) → [PR 3: Unified timing configuration]

Depends on: #7028

Modifications

  • StsCredentialsProvider: Added .staleValueBehavior(CachedSupplier.StaleValueBehavior.ALLOW) to the CachedSupplier builder. On refresh failure, STS providers now return cached credentials instead of throwing. Initial fetch failure (no cache) still throws.

  • ContainerCredentialsProvider: Added .staleValueBehavior(ALLOW) to the CachedSupplier builder. Container metadata endpoint failures now return cached credentials.

  • SsoCredentialsProvider: Added .staleValueBehavior(ALLOW). UnauthorizedException (from SSO service) and ExpiredTokenException are considered cache invalidating exceptions so expired SSO tokens bypass static stability and immediately prompt re-authentication.

  • LoginCredentialsProvider: Added .staleValueBehavior(ALLOW). Made TOKEN_EXPIRED and USER_CREDENTIALS_CHANGED errors cache invalidating.

  • ProcessCredentialsProvider: Intentionally NOT changed — keeps STRICT behavior since process execution is local and we do not know the source of the credentials.

Testing

New tests for static stability in updated credential providers.

Types of changes

  • New feature (non-breaking change which adds functionality)

Checklist

  • I have read the CONTRIBUTING document
  • Local run of mvn install succeeds
  • My code follows the code style of this project
  • My change requires a change to the Javadoc documentation
  • I have updated the Javadoc documentation accordingly
  • I have added tests to cover my changes
  • All new and existing tests passed
  • I have added a changelog entry. Adding a new entry must be accomplished by running the scripts/new-change script and following the instructions. Commit the new file created by the script in .changes/next-release with your changes.

License

  • I confirm that this pull request can be released under the Apache 2 license

@alextwoods
Switch credential providers to ALLOW static stability + cacheInvalida…
31b290a 
…tingPredicate

- STS, Container, SSO, and Login providers now use StaleValueBehavior.ALLOW
- SSO provider configures cacheInvalidatingPredicate for ExpiredTokenException
  and UnauthorizedException (original exceptions propagate unchanged)
- Login provider configures cacheInvalidatingPredicate for AccessDeniedException
  with TOKEN_EXPIRED or USER_CREDENTIALS_CHANGED error codes
- Removes all CacheInvalidatingException wrapping — service exceptions flow
  through to customers unchanged
@alextwoods alextwoods requested a review from a team as a code owner June 11, 2026 21:47
@alextwoods alextwoods requested a review from RanVaknin June 12, 2026 15:04
RanVaknin
RanVaknin reviewed Jun 12, 2026
View reviewed changes
Comment thread ...gnin/src/main/java/software/amazon/awssdk/services/signin/auth/LoginCredentialsProvider.java
// Let the original AccessDeniedException propagate — the cacheInvalidatingPredicate
// on CachedSupplier will identify it and bypass static stability.
throw accessDeniedException;
case INSUFFICIENT_PERMISSIONS:

@RanVaknin RanVaknin Jun 12, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't this one also be treated as non-recoverable?

@alextwoods alextwoods Jun 15, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, good question - I'll follow up with the spec owner for this....

@alextwoods alextwoods Jun 15, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good call out - yes, it should be cache invalidating! I'll update the code and spec is being updated as well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@RanVaknin RanVaknin RanVaknin left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@alextwoods @RanVaknin