feat: add AWS Identity Center (IDC) authentication support

[PancakeZik]

Summary

• Adds AWS Identity Center (IDC) authentication as an alternative to Builder ID
• Uses Kiro IDE-style headers (x-amzn-kiro-agent-mode: spec) for IDC requests
• Supports region-specific SSO OIDC token refresh for IDC tokens
• Persists refreshed tokens back to auth files

Changes

• internal/auth/kiro/sso_oidc.go: Added IDC login flow, region-specific token refresh, and method selection prompt
• internal/runtime/executor/kiro_executor.go: Added IDC header detection and Kiro IDE user-agent for IDC auth
• sdk/auth/kiro.go: Added IDC auth method handling and token persistence after refresh
• internal/auth/kiro/aws.go: Added IDC-specific fields to KiroTokenData struct

Test plan

• Test IDC login flow with --method idc flag
• Verify token refresh works for IDC tokens
• Verify refreshed tokens are persisted to auth file
• Confirm Builder ID auth still works as before

[gemini-code-assist]

Summary of Changes

Hello @PancakeZik, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the authentication capabilities by integrating AWS Identity Center (IDC) support. It provides a robust alternative to Builder ID, catering to organizational SSO requirements. The changes encompass the entire authentication lifecycle, from initial login and client registration to region-aware token refreshing and persistent storage of credentials. This ensures a more flexible and secure authentication experience for users, aligning with modern AWS identity management practices.

Highlights

• AWS Identity Center (IDC) Authentication: Added full support for AWS Identity Center (IDC) as an alternative authentication method to Builder ID, enabling users to log in with their organizational SSO credentials.
• Kiro IDE-style Headers: Implemented Kiro IDE-style headers (x-amzn-kiro-agent-mode: spec) for IDC requests, ensuring compatibility and proper communication with AWS services.
• Region-Specific Token Refresh: Introduced support for region-specific SSO OIDC token refreshing for IDC tokens, improving reliability and adherence to regional AWS endpoints.
• Token Persistence: Ensured that refreshed IDC tokens are persisted back to the authentication files, maintaining user sessions across application restarts and refreshes.
• Login Method Selection: Added an interactive prompt during the login process, allowing users to choose between Builder ID and IDC authentication methods.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[PancakeZik]

Closes #56

[gemini-code-assist]

Code Review

This pull request adds support for AWS Identity Center (IDC) authentication, providing an alternative to Builder ID. The changes are extensive, touching authentication flows, request execution, and token management. My review focuses on improving maintainability by reducing code duplication, enhancing error handling robustness, and addressing hardcoded values. I've identified several areas where logic is repeated across different files and functions, such as token refresh and persistence, which could be centralized. Additionally, I've suggested improvements to make error handling less brittle and to move magic strings into constants.

[gemini-code-assist]

The error from reader.ReadString is ignored. While this might be acceptable for a simple CLI tool, it's better practice to handle potential I/O errors from os.Stdin. For example, if the input stream is closed or encounters an error, this could lead to unexpected behavior. Handling the error improves the robustness of the CLI.

Suggested change

	input, _ := reader.ReadString('\n')
	input = strings.TrimSpace(input)
	if input == "" {
	return defaultValue
	}
	return input
	input, err := reader.ReadString('\n')
	if err != nil {
	log.Warnf("Error reading input: %v", err)
	return defaultValue
	}
	input = strings.TrimSpace(input)
	if input == "" {
	return defaultValue
	}
	return input

[gemini-code-assist]

On invalid input (non-numeric, out of range), the function silently defaults to the first option. This could be confusing for the user. Consider providing feedback on invalid input and re-prompting for a valid selection in a loop to improve the user experience.

[gemini-code-assist]

Using fmt.Errorf to create errors that are later checked with strings.Contains is brittle. If the error message changes, this logic will break. It's better to use sentinel errors. You can define package-level error variables (e.g., var ErrAuthorizationPending = errors.New("authorization_pending")) and return them here. Then, the calling function can use errors.Is for robust error checking.

Suggested change

	if errResp.Error == "authorization_pending" {
	return nil, fmt.Errorf("authorization_pending")
	}
	if errResp.Error == "slow_down" {
	return nil, fmt.Errorf("slow_down")
	}
	if errResp.Error == "authorization_pending" {
	return nil, ErrAuthorizationPending
	}
	if errResp.Error == "slow_down" {
	return nil, ErrSlowDown
	}

[gemini-code-assist]

This x-amz-user-agent header, along with others in this function, contains hardcoded values like SDK versions (3.738.0). This makes them difficult to find and update. To improve maintainability, consider defining these magic strings as constants at the package level.

[gemini-code-assist]

The logic for persisting a refreshed token and updating credentials is duplicated in multiple places in this file. This makes the code harder to maintain. Consider extracting this logic into a helper function. For example:

func (e *KiroExecutor) applyRefreshedAuth(auth *cliproxyauth.Auth) (*cliproxyauth.Auth, string, string) {
    if persistErr := e.persistRefreshedAuth(auth); persistErr != nil {
        log.Warnf("kiro: failed to persist refreshed auth: %v", persistErr)
    }
    accessToken, profileArn := kiroCredentials(auth)
    log.Infof("kiro: token refreshed successfully")
    return auth, accessToken, profileArn
}

This would simplify the call sites significantly.