Add updated error handling / messages

alextwoods · alextwoods · commit c1f5118ad10e · 2025-11-10T12:26:10.000-08:00
diff --git a/services/signin/src/main/java/software/amazon/awssdk/services/signin/auth/LoginCredentialsProvider.java b/services/signin/src/main/java/software/amazon/awssdk/services/signin/auth/LoginCredentialsProvider.java
@@ -40,9 +40,9 @@
 import software.amazon.awssdk.services.signin.internal.LoginAccessToken;
 import software.amazon.awssdk.services.signin.internal.LoginCacheDirectorySystemSetting;
 import software.amazon.awssdk.services.signin.internal.OnDiskTokenManager;
+import software.amazon.awssdk.services.signin.model.AccessDeniedException;
 import software.amazon.awssdk.services.signin.model.CreateOAuth2TokenRequest;
 import software.amazon.awssdk.services.signin.model.CreateOAuth2TokenResponse;
-import software.amazon.awssdk.services.signin.model.SigninException;
 import software.amazon.awssdk.utils.Logger;
 import software.amazon.awssdk.utils.SdkAutoCloseable;
 import software.amazon.awssdk.utils.StringUtils;
@@ -198,10 +198,32 @@ private RefreshResult<AwsCredentials> refreshFromSigninService(LoginAccessToken
                                 .staleTime(newExpiration.minus(staleTime))
                                 .prefetchTime(newExpiration.minus(prefetchTime))
                                 .build();
-        } catch (SigninException serviceException) {
-            throw SdkClientException.create(
-                "Unable to refresh AWS Signin Access Token: You must re-authenticate.",
-                serviceException);
+        } catch (AccessDeniedException accessDeniedException) {
+            if (accessDeniedException.error() == null) {
+                throw accessDeniedException;
+            }
+
+            switch (accessDeniedException.error()) {
+                case TOKEN_EXPIRED:
+                    throw SdkClientException.create(
+                        "Your session has expired. Please reauthenticate.",
+                        accessDeniedException);
+                case USER_CREDENTIALS_CHANGED:
+                    throw SdkClientException.create(
+                        "Unable to refresh credentials because of a change in your password. "
+                        + "Please reauthenticate with your new password.",
+                        accessDeniedException
+                    );
+                case INSUFFICIENT_PERMISSIONS:
+                    throw SdkClientException.create(
+                        "Unable to refresh credentials due to insufficient permissions. You may be missing permission "
+                        + "for the 'CreateOAuth2Token' action.",
+                        accessDeniedException
+                    );
+                default:
+                    throw accessDeniedException;
+
+            }
         }
     }
 
diff --git a/services/signin/src/test/java/software/amazon/awssdk/services/signin/auth/LoginCredentialsProviderTest.java b/services/signin/src/test/java/software/amazon/awssdk/services/signin/auth/LoginCredentialsProviderTest.java
@@ -20,12 +20,7 @@
 import static org.junit.jupiter.api.Assertions.assertNotNull;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.assertTrue;
-import static org.mockito.ArgumentMatchers.any;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.never;
-import static org.mockito.Mockito.times;
-import static org.mockito.Mockito.verify;
-import static org.mockito.Mockito.when;
+
 import static software.amazon.awssdk.services.signin.auth.internal.DpopTestUtils.VALID_TEST_PEM;
 import static software.amazon.awssdk.services.signin.auth.internal.DpopTestUtils.getJwtPayloadFromEncodedDpopHeader;
 import static software.amazon.awssdk.services.signin.auth.internal.DpopTestUtils.verifySignature;
@@ -41,10 +36,8 @@
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.io.TempDir;
-import org.mockito.ArgumentCaptor;
 import software.amazon.awssdk.auth.credentials.AwsCredentials;
 import software.amazon.awssdk.auth.credentials.AwsSessionCredentials;
-import software.amazon.awssdk.auth.signer.AwsSignerExecutionAttribute;
 import software.amazon.awssdk.core.SdkRequest;
 import software.amazon.awssdk.core.exception.SdkClientException;
 import software.amazon.awssdk.core.interceptor.Context;
@@ -61,10 +54,10 @@
 import software.amazon.awssdk.services.signin.internal.LoginAccessToken;
 import software.amazon.awssdk.services.signin.internal.OnDiskTokenManager;
 import software.amazon.awssdk.services.signin.model.CreateOAuth2TokenRequest;
-import software.amazon.awssdk.services.signin.model.CreateOAuth2TokenResponse;
+import software.amazon.awssdk.services.signin.model.OAuth2ErrorCode;
 import software.amazon.awssdk.services.signin.model.SigninException;
-import software.amazon.awssdk.testutils.service.http.MockAsyncHttpClient;
 import software.amazon.awssdk.testutils.service.http.MockSyncHttpClient;
+import software.amazon.awssdk.utils.StringInputStream;
 
 public class LoginCredentialsProviderTest {
     private static final String LOGIN_SESSION_ID = "loginSessionId";
@@ -188,7 +181,7 @@ public void resolveCredentials_whenCredentialsExpired_refreshesAndUpdatesCache()
     }
 
     @Test
-    public void resolveCredentials_whenCredentialsExpired_serviceCallFails_raisesException() {
+    public void resolveCredentials_whenCredentialsExpired_serviceCallFailsWithGeneric500_raisesException() {
         // expired
         AwsSessionCredentials creds = buildCredentials(Instant.now().minusSeconds(60));
         LoginAccessToken token = buildAccessToken(creds);
@@ -199,7 +192,43 @@ public void resolveCredentials_whenCredentialsExpired_serviceCallFails_raisesExc
                 .response(SdkHttpResponse.builder().statusCode(500).build())
                 .build()
         );
-        assertThrows(SdkClientException.class, () -> loginCredentialsProvider.resolveCredentials());
+        assertThrows(SigninException.class, () -> loginCredentialsProvider.resolveCredentials());
+    }
+
+    @Test
+    public void resolveCredentials_whenCredentialsExpired_serviceCallFailsWithTokenExpired_raisesException() {
+        // expired
+        AwsSessionCredentials creds = buildCredentials(Instant.now().minusSeconds(60));
+        LoginAccessToken token = buildAccessToken(creds);
+        tokenManager.storeToken(token);
+
+        stubAccessDeniedException(OAuth2ErrorCode.TOKEN_EXPIRED);
+        SdkClientException e = assertThrows(SdkClientException.class, () -> loginCredentialsProvider.resolveCredentials());
+        assertTrue(e.getMessage().contains("Your session has expired"));
+    }
+
+    @Test
+    public void resolveCredentials_whenCredentialsExpired_serviceCallFailsWithUserExpired_raisesException() {
+        // expired
+        AwsSessionCredentials creds = buildCredentials(Instant.now().minusSeconds(60));
+        LoginAccessToken token = buildAccessToken(creds);
+        tokenManager.storeToken(token);
+
+        stubAccessDeniedException(OAuth2ErrorCode.USER_CREDENTIALS_CHANGED);
+        SdkClientException e = assertThrows(SdkClientException.class, () -> loginCredentialsProvider.resolveCredentials());
+        assertTrue(e.getMessage().contains("change in your password"));
+    }
+
+    @Test
+    public void resolveCredentials_whenCredentialsExpired_serviceCallFailsWithInsufficentPermissions_raisesException() {
+        // expired
+        AwsSessionCredentials creds = buildCredentials(Instant.now().minusSeconds(60));
+        LoginAccessToken token = buildAccessToken(creds);
+        tokenManager.storeToken(token);
+
+        stubAccessDeniedException(OAuth2ErrorCode.INSUFFICIENT_PERMISSIONS);
+        SdkClientException e = assertThrows(SdkClientException.class, () -> loginCredentialsProvider.resolveCredentials());
+        assertTrue(e.getMessage().contains("insufficient permissions"));
     }
 
     private static void verifyResolvedCredentialsAreUpdated(AwsCredentials resolvedCredentials) {
@@ -254,6 +283,22 @@ private void stubSuccessfulRefreshResponse() {
         );
     }
 
+    private void stubAccessDeniedException(OAuth2ErrorCode errorCode) {
+        String errorBody = "{\"error\":\"" + errorCode + "\",\"message\":\"The refresh token has expired.\"}";
+        mockHttpClient.stubNextResponse(
+            HttpExecuteResponse
+                .builder()
+                .response(
+                    SdkHttpResponse
+                        .builder()
+                        .putHeader("X-Amzn-Errortype", "AccessDeniedException")
+                        .statusCode(401)
+                        .build())
+                .responseBody(AbortableInputStream.create(new StringInputStream(errorBody)))
+                .build()
+        );
+    }
+
     private AwsSessionCredentials buildCredentials(Instant expirationTime) {
         return AwsSessionCredentials.builder()
                              .accessKeyId("akid")
