3P Bedrock SSO: credentials silently expire without triggering re-auth on day 2+

Resolved 💬 3 comments Opened May 28, 2026 by michaelandersonLFO Closed Jun 30, 2026

Summary

In 3P (Cowork) deployments using Bedrock SSO (inferenceCredentialKind: "interactive", inferenceBedrockSso* fields), credentials expire after ~8 hours and the app never attempts to re-authenticate. Users open the app the next day and it silently fails to make inference calls — no sign-in prompt, no error dialog, just dead sessions.

Root Cause (source-verified)

In resolveCredentialOverrides, the inline device-code re-auth gate only fires for GatewaySso and FoundryEntra:

t === "interactive" && o === zI &&
(r.interactiveKind === fE.GatewaySso || r.interactiveKind === fE.FoundryEntra)

fE.BedrockSso is absent from this condition. When the stored Bedrock SSO token is expired (isBedrockSsoTokenUsable returns false) and resolve({interactive: false}) returns the zI sentinel, the function falls through to the error/empty-return path instead of opening the device-code window. The app has the infrastructure (withDeviceCodeWindow, doGrant via Lhi, credentialResolveStatusMessage already handling BedrockSso) — the re-auth just isn't wired into the trigger condition.

The fix is one line — add fE.BedrockSso to the condition:

t === "interactive" && o === zI &&
(r.interactiveKind === fE.GatewaySso ||
 r.interactiveKind === fE.FoundryEntra ||
 r.interactiveKind === fE.BedrockSso)   // ← missing

Token lifetime context

isBedrockSsoTokenUsable (wZe):

return e.accessTokenExpiresAt - 120_000 > Date.now()
    || (!!e.refreshToken && e.clientExpiresAt > Date.now())

AWS IAM Identity Center access tokens typically expire in 8 hours. The refresh token path covers the window, but once both are expired the re-auth gate must fire — and currently doesn't for Bedrock.

Impact

  • Deployment type: 3P / Cowork, Bedrock SSO (inferenceCredentialKind: "interactive")
  • Trigger: Any session started after the access token + refresh window expires (day 2 for most users with default IAM Identity Center settings)
  • Symptom: App loads, no sign-in prompt, inference calls silently fail or hang
  • Workaround: None practical at scale. Clearing custom3pBedrockSsoTokens from config.json forces re-auth on next launch but requires per-user intervention. Credential helper scripts require AWS CLI on every user machine, which is not viable for end-user Cowork deployments.

Environment

  • Claude desktop app (3P/Cowork deployment mode)
  • deploymentMode: "3p" in claude_desktop_config.json
  • inferenceProvider: "bedrock", inferenceCredentialKind: "interactive"
  • AWS IAM Identity Center SSO via inferenceBedrockSsoStartUrl

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗