Says identity center token is expired when it's not

[kamatsuoka]

I logged in with aws-sso-util login but I can't assume any roles. aws-sso-util check says my token has expired, but it hasn't.
$ jq . ~/.aws/sso/cache/3a5b135d8a84aed13e9ac6b6a5e4b41302b19d00.json

{
  "startUrl": "https://$COMPANY.awsapps.com/start/",
  "region": "us-east-2",
  "accessToken": "...",
  "expiresAt": "2023-05-17T16:29:32Z",
  "receivedAt": "2023-05-17T16:20:57Z"
}

$ aws-sso-util check

aws-sso-util: v4.31.0; aws-sso-lib: v1.14.0; time: 2023-05-17T16:26:49Z
Identity Center instance start URL https://$COMPANY.awsapps.com/start/ from AWS_DEFAULT_SSO_START_URL and region us-east-2 from AWS_DEFAULT_SSO_REGION, from specifier https://$COMPANY.awsapps.com/start/ from AWS_DEFAULT_SSO_START_URL and region us-east-2 from AWS_DEFAULT_SSO_REGION
Cached Identity Center token is expired. Log in again with `aws-sso-util login https://$COMPANY.awsapps.com/start/ us-east-2` or use the --force-refresh option.

$ date -u
Wed May 17 16:27:32 UTC 2023

[martyhill]

Yes, it looks like the SSOTokenFetcher._is_expired() method in utils.py should return seconds > expiry_window. It currently returns seconds < expiry_window.

[benkehoe]

The logic in SSOTokenFetcher (which comes from botocore) is correct: (seconds) is seconds of validity remaining, and the token is considered expired when that's less than a fixed window, in support of refreshing before the token actually expires.

So what's happening here is aws-sso-util check is just asking the token fetcher if the token is expired, using the expiry window. What it should be doing, is asking "is the token past its actual expiration?" and if not, "is it within the expiry window?" and reporting a more comprehensive answer than it is today. That would help illuminate problems like aws/aws-sdk#531

So I'll consider this a feature request for aws-sso-util check to do that, and leave the issue open until that's done.