3P Bedrock SSO: credentials silently expire without triggering re-auth on day 2+
Summary
In 3P (Cowork) deployments using Bedrock SSO (inferenceCredentialKind: "interactive", inferenceBedrockSso* fields), credentials expire after ~8 hours and the app never attempts to re-authenticate. Users open the app the next day and it silently fails to make inference calls — no sign-in prompt, no error dialog, just dead sessions.
Root Cause (source-verified)
In resolveCredentialOverrides, the inline device-code re-auth gate only fires for GatewaySso and FoundryEntra:
t === "interactive" && o === zI &&
(r.interactiveKind === fE.GatewaySso || r.interactiveKind === fE.FoundryEntra)
fE.BedrockSso is absent from this condition. When the stored Bedrock SSO token is expired (isBedrockSsoTokenUsable returns false) and resolve({interactive: false}) returns the zI sentinel, the function falls through to the error/empty-return path instead of opening the device-code window. The app has the infrastructure (withDeviceCodeWindow, doGrant via Lhi, credentialResolveStatusMessage already handling BedrockSso) — the re-auth just isn't wired into the trigger condition.
The fix is one line — add fE.BedrockSso to the condition:
t === "interactive" && o === zI &&
(r.interactiveKind === fE.GatewaySso ||
r.interactiveKind === fE.FoundryEntra ||
r.interactiveKind === fE.BedrockSso) // ← missing
Token lifetime context
isBedrockSsoTokenUsable (wZe):
return e.accessTokenExpiresAt - 120_000 > Date.now()
|| (!!e.refreshToken && e.clientExpiresAt > Date.now())
AWS IAM Identity Center access tokens typically expire in 8 hours. The refresh token path covers the window, but once both are expired the re-auth gate must fire — and currently doesn't for Bedrock.
Impact
- Deployment type: 3P / Cowork, Bedrock SSO (
inferenceCredentialKind: "interactive") - Trigger: Any session started after the access token + refresh window expires (day 2 for most users with default IAM Identity Center settings)
- Symptom: App loads, no sign-in prompt, inference calls silently fail or hang
- Workaround: None practical at scale. Clearing
custom3pBedrockSsoTokensfromconfig.jsonforces re-auth on next launch but requires per-user intervention. Credential helper scripts require AWS CLI on every user machine, which is not viable for end-user Cowork deployments.
Environment
- Claude desktop app (3P/Cowork deployment mode)
deploymentMode: "3p"inclaude_desktop_config.jsoninferenceProvider: "bedrock",inferenceCredentialKind: "interactive"- AWS IAM Identity Center SSO via
inferenceBedrockSsoStartUrl
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗