feat(kiro): add IDC auth code flow, redesign fingerprint and API protocol

[Xm798]

Background

Kiro auth previously supported Builder ID (device code + auth code), IDC (device code via interactive menu only), and social login (Google/GitHub token import). Several aspects didn't match real Kiro IDE behavior:

1. IDC lacked auth code flow and CLI entry point — only device code via interactive menu; no way to invoke IDC login directly from CLI flags or pre-configure start URL in config
2. Unstable fingerprint — KiroHash included time.Now().UnixNano(), changing on every restart; struct contained unused browser fields (ScreenResolution, ColorDepth, etc.) not present in real IDE traffic; all endpoints shared a single SDK version pool, while the real IDE uses different versions for OIDC / runtime / streaming
3. Non-IDC auth used Amazon Q CLI headers — aws-sdk-rust/1.3.9 + app/AmazonQ-For-CLI, inconsistent with Kiro IDE
4. Runtime API used legacy protocol — JSON-RPC via codewhisperer.us-east-1.amazonaws.com, while the real IDE has moved to REST via q.{region}.amazonaws.com
5. Inconsistent OIDC headers — each method set headers manually with different styles; RefreshTokenWithRegion used a completely different hardcoded header set
6. Builder ID login fetched ProfileArn unnecessarily — Builder ID has no profile, the call always returned empty

Summary

Kiro Auth & Fingerprint

• IDC auth code flow & CLI login: added LoginWithIDCAuthCode; CLI flags --kiro-idc-login, --kiro-idc-start-url, --kiro-idc-region, --kiro-idc-flow allow direct IDC login without interactive prompts; start-url field added to config; RefreshTokenWithRegion now falls back to default region when empty
• Fingerprint redesign: global singleton, deterministic per-account generation via sha256(accountKey), three SDK version pools (OIDC 3.7xx / runtime 1.0.0 / streaming 1.0.27), removed unused browser fields, external config override via kiro-fingerprint
• Unified headers: all auth types now use Kiro IDE-style dynamic fingerprint headers; all OIDC requests go through SetOIDCHeaders()
• Runtime API migration: getUsageLimits / ListAvailableModels moved from JSON-RPC to REST (q.{region}.amazonaws.com + GET); FetchProfileArn tries new ListAvailableProfiles first, falls back to legacy ListProfiles
• Auto-fetch profileArn in Execute/ExecuteStream for imported accounts; Builder ID login no longer attempts to fetch it

Kiro Translator

• Added AgentContinuationID / AgentTaskType to conversation state; extract conversationId / continuationId from messages[].additional_kwargs

Other

• Added kiro-claude-sonnet-4-6 model alias
• Updated CLI login docs in README (EN/CN)
• Antigravity: tool_result images placed inside functionResponse.parts; mime_type → mimeType; primary model list cache with fallback; multi-auth model backfill
• +2000 lines of new tests

Test plan

• IDC auth code: --kiro-idc-login --kiro-idc-start-url <url>
• IDC device code: --kiro-idc-login --kiro-idc-start-url <url> --kiro-idc-flow device
• Builder ID: --kiro-aws-login / --kiro-aws-authcode
• Verify Sonnet 4.6 alias resolves correctly

I've tested the IDC-related flows. Additional testing and feedback on other auth methods are appreciated.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly refactors the Kiro authentication and API interaction layers to align more closely with the behavior of the official Kiro IDE. The primary goal is to enhance compatibility, stability, and feature parity, particularly for AWS IAM Identity Center (IDC) users, by introducing a robust authorization code flow and a redesigned, deterministic fingerprinting system. These changes streamline the login experience, improve API request consistency, and lay the groundwork for more reliable integration with Kiro services.

Highlights

• IDC Authentication Redesign: Implemented a full authorization code flow for AWS IAM Identity Center (IDC) login, including new CLI flags (--kiro-idc-login, --kiro-idc-start-url, --kiro-idc-region, --kiro-idc-flow) for direct CLI invocation without interactive prompts. The RefreshTokenWithRegion function now gracefully falls back to a default region when none is specified.
• Fingerprint System Overhaul: Redesigned the Kiro fingerprinting mechanism to be a global singleton, generating deterministic fingerprints per account using sha256(accountKey). This update introduces three distinct SDK version pools for OIDC, runtime, and streaming APIs, removes unused browser-related fields, and allows external configuration overrides via kiro-fingerprint.
• API Protocol Modernization: Migrated getUsageLimits and ListAvailableModels API calls from the legacy JSON-RPC protocol (codewhisperer.us-east-1.amazonaws.com) to the modern REST API (q.{region}.amazonaws.com). All OIDC requests now utilize a unified header setting function (SetOIDCHeaders()) for consistency.
• Profile ARN Handling Improvements: Enhanced the logic for fetching ProfileArn by first attempting the new ListAvailableProfiles API and falling back to the legacy ListProfiles if necessary. Builder ID logins no longer attempt to fetch a ProfileArn as it is not applicable to that authentication method.
• Kiro Translator Enhancements: Added AgentContinuationID and AgentTaskType to the conversation state and implemented extraction of conversationId and continuationId from messages[].additional_kwargs for improved conversation management.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• README.md
  • Updated CLI login instructions to include new IDC authentication options and flags.
• README_CN.md
  • Updated Chinese CLI login documentation to reflect new IDC authentication options.
• cmd/server/main.go
  • Added new CLI flags for IDC login (--kiro-idc-login, --kiro-idc-start-url, --kiro-idc-region, --kiro-idc-flow).
  • Integrated kiro.InitFingerprintConfig for global fingerprint initialization.
• config.example.yaml
  • Added example configuration for kiro-fingerprint to allow custom fingerprint overrides.
  • Included start-url and region fields in kiro configuration examples for IDC login presets.
• internal/auth/kiro/aws.go
  • Added log import.
  • Updated KiroTokenData.Region comment to clarify its role in OIDC.
  • Introduced DefaultKiroRegion constant.
  • Added GetCodeWhispererLegacyEndpoint for JSON-RPC APIs.
  • Defined ProfileARN struct and ParseProfileARN function for ARN parsing.
  • Added GetKiroAPIEndpoint, GetKiroAPIEndpointFromProfileArn, and ExtractRegionFromProfileArn for endpoint resolution.
  • Implemented ExtractRegionFromMetadata for region priority resolution.
  • Added buildURL utility function for constructing URLs with query parameters.
• internal/auth/kiro/aws_auth.go
  • Removed awsKiroEndpoint and endpoint field from KiroAuth struct.
  • Defined pathGetUsageLimits and pathListAvailableModels constants.
  • Refactored makeRequest to use REST-style GET requests and new header setting logic.
  • Updated GetUsageLimits and ListAvailableModels to use the new REST API paths and tokenData for headers.
• internal/auth/kiro/aws_test.go
  • Added strings import.
  • Modified TestGenerateTokenFileName to use exact and prefix checks for more flexible testing.
  • Added comprehensive tests for ParseProfileARN, ExtractRegionFromProfileArn, GetKiroAPIEndpoint, GetKiroAPIEndpointFromProfileArn, GetCodeWhispererLegacyEndpoint, and ExtractRegionFromMetadata.
• internal/auth/kiro/codewhisperer_client.go
  • Removed uuid import and machineID field.
  • Removed codeWhispererAPI and kiroVersion constants.
  • Removed generateInvocationID function.
  • Updated NewCodeWhispererClient to no longer require machineID.
  • Refactored GetUsageLimits to use GetKiroAPIEndpointFromProfileArn and setRuntimeHeaders.
  • Updated FetchUserEmailFromAPI and FetchUserEmailWithFallback to accept clientID and refreshToken for account key generation.
• internal/auth/kiro/fingerprint.go
  • Added encoding/binary, runtime, and slices imports.
  • Redesigned Fingerprint struct to include separate SDK versions for OIDC, Runtime, and Streaming, and removed browser-specific fields.
  • Introduced FingerprintConfig struct for external configuration overrides.
  • Modified FingerprintManager to store an optional config.
  • Updated SDK, OS, Node, and Kiro version pools.
  • Implemented GlobalFingerprintManager singleton pattern.
  • Added SetConfig method to update configuration and clear cache.
  • Refactored generateFingerprint to support configuration-based or random generation.
  • Updated generateRandom to use a deterministic seed based on accountKey hash.
  • Removed ApplyToRequest, RemoveFingerprint, Count, randomChoice, and randomIntChoice functions.
  • Added GenerateAccountKey and GetAccountKey for deterministic account key generation.
  • Updated BuildUserAgent and BuildAmzUserAgent to use specific SDK versions.
  • Introduced SetOIDCHeaders and setRuntimeHeaders for consistent header application.
• internal/auth/kiro/fingerprint_test.go
  • Added runtime and strings imports.
  • Updated TestGetFingerprint_NewToken to check new SDK version fields and removed checks for deprecated browser fields.
  • Removed tests for RemoveFingerprint, Count, and ApplyToRequest.
  • Renamed TestKiroHashUniqueness to TestKiroHashStability and updated its logic.
  • Added tests for GlobalFingerprintManager, SetOIDCHeaders, buildURL, BuildUserAgentFormat, BuildAmzUserAgentFormat, SetRuntimeHeaders, SDKVersionsAreValid, KiroVersionsAreValid, NodeVersionsAreValid, FingerprintManager_SetConfig, FingerprintManager_SetConfig_PartialFields, FingerprintManager_SetConfig_ClearsCache, GenerateAccountKey, GetAccountKey, and FingerprintDeterministic.
• internal/auth/kiro/oauth.go
  • Updated NewKiroOAuth to initialize machineID and kiroVersion from the global fingerprint manager.
  • Modified exchangeCodeForToken and RefreshTokenWithFingerprint to use dynamic User-Agent and Accept headers.
  • Removed buildKiroUserAgent function.
• internal/auth/kiro/oauth_web.go
  • Removed stateID field from webAuthSession.
  • Updated pollForToken to conditionally fetch profileArn only for IDC auth and to pass clientID and refreshToken to FetchUserEmailWithFallback.
  • Adjusted saveTokenToFile to use GenerateTokenFileName.
• internal/auth/kiro/refresh_manager.go
  • Updated comments for RefreshManager and its methods to be in English.
  • Removed Chinese comments.
  • Added initGlobalFingerprintConfig and InitFingerprintConfig to initialize global fingerprint settings from the application configuration.
• internal/auth/kiro/social_auth.go
  • Added machineID and kiroVersion fields to SocialAuthClient struct.
  • Updated NewSocialAuthClient to initialize machineID and kiroVersion from the global fingerprint manager.
  • Modified CreateToken and RefreshSocialToken to use dynamic User-Agent and Accept headers.
• internal/auth/kiro/sso_oidc.go
  • Added net/url import.
  • Removed kiroUserAgent and idcAmzUserAgent constants.
  • Removed Sentinel errors for OIDC token polling comment.
  • Updated RegisterClientResponse struct field names to be camelCase.
  • Replaced manual header setting with SetOIDCHeaders in RegisterClientWithRegion, StartDeviceAuthorizationWithIDC, CreateTokenWithRegion, RefreshTokenWithRegion, RegisterClient, StartDeviceAuthorization, CreateToken, and RefreshToken.
  • Modified RefreshTokenWithRegion to default to defaultIDCRegion if region is empty.
  • Updated LoginWithIDC to pass clientID and refreshToken to FetchProfileArn and FetchUserEmailWithFallback.
  • Introduced IDCLoginOptions struct for IDC login parameters.
  • Refactored LoginWithMethodSelection to support pre-configured IDC options and distinguish between device code and auth code flows.
  • Added LoginWithIDCAndOptions for IDC login with specified region.
  • Added RegisterClientForAuthCodeWithIDC for registering clients for IDC auth code flow.
  • Modified startAuthCodeCallbackServer to use doneChan for graceful shutdown.
  • Added CreateTokenWithAuthCodeAndRegion for creating tokens with auth code and region.
  • Removed profileArn fetching for Builder ID in LoginWithBuilderID.
  • Renamed fetchProfileArn to FetchProfileArn and updated its logic to prioritize tryListAvailableProfiles and fallback to tryListProfilesLegacy.
  • Renamed tryListProfiles to tryListAvailableProfiles and updated it to use the new Q API endpoint and setRuntimeHeaders.
  • Renamed tryListCustomizations to tryListProfilesLegacy and updated it to use GetCodeWhispererLegacyEndpoint and target ListProfiles.
  • Implemented LoginWithIDCAuthCode for the new IDC authorization code flow.
  • Added buildAuthorizationURL helper function.
• internal/auth/kiro/sso_oidc_test.go
  • Added new test file for sso_oidc client.
  • Included tests for tryListAvailableProfiles to verify account key usage.
  • Added a comprehensive test for RegisterClientForAuthCodeWithIDC covering request details and response parsing.
  • Introduced rewriteTransport for mocking HTTP requests.
  • Added TestBuildAuthorizationURL to verify the construction of authorization URLs.
• internal/auth/kiro/token.go
  • Updated comment for Region field in KiroTokenStorage to clarify its role in OIDC.
• internal/auth/kiro/token_repository.go
  • Simplified token metadata parsing in readTokenFile by directly assigning string values and using ok checks for time parsing.
• internal/auth/kiro/usage_checker.go
  • Removed strings import.
  • Removed endpoint field from UsageChecker struct.
  • Updated NewUsageChecker and NewUsageCheckerWithClient to no longer set endpoint.
  • Refactored CheckUsage to use GetKiroAPIEndpointFromProfileArn, buildURL, and setRuntimeHeaders for API calls.
• internal/cmd/kiro_login.go
  • Added DoKiroIDCLogin function to handle IDC login via CLI, including argument parsing and error handling.
• internal/config/config.go
  • Added KiroFingerprintConfig struct for global fingerprint settings.
  • Added KiroFingerprint field to the main Config struct.
  • Added StartURL field to KiroKey struct for IDC start URL configuration.
• internal/config/oauth_model_alias_migration.go
  • Added kiro-claude-sonnet-4-6 model alias.
• internal/runtime/executor/kiro_executor.go
  • Removed old kiroUserAgent, kiroFullUserAgent, kiroIDEUserAgent, kiroIDEAmzUserAgent, and kiroIDEAgentModeVibe constants.
  • Removed global fingerprint manager initialization and getGlobalFingerprintManager function.
  • Added endpointAliases map for endpoint preference resolution.
  • Removed isIDCAuth function.
  • Added profileArnMu mutex to KiroExecutor.
  • Updated getKiroEndpointConfigs to use endpointAliases for preferred endpoint sorting and getAuthValue for preference retrieval.
  • Modified applyDynamicFingerprint to use kiroauth.GlobalFingerprintManager and getAccountKey for headers.
  • Refactored getTokenKey to getAccountKey with improved logic for generating stable account keys.
  • Added getAuthValue helper function to retrieve values from auth metadata or attributes.
  • Integrated fetchAndSaveProfileArn into Execute and ExecuteStream to automatically fetch missing profile ARNs for imported accounts.
  • Updated getEffectiveProfileArnWithWarning to specifically suppress profileArn for builder-id auth only.
• internal/runtime/executor/kiro_executor_test.go
  • Added new test file for kiro_executor.
  • Included tests for buildKiroEndpointConfigs to verify endpoint URLs and origins.
  • Added tests for getKiroEndpointConfigs covering nil auth, region extraction, API region override, and preferred endpoint logic.
  • Added tests for getAuthValue to verify metadata/attribute precedence and value trimming.
  • Added tests for getAccountKey to ensure correct key generation based on client ID, refresh token, or random fallback.
  • Added TestEndpointAliases to verify the alias mapping.
• internal/translator/kiro/claude/kiro_claude_request.go
  • Added AgentContinuationID and AgentTaskType fields to KiroConversationState.
  • Modified BuildKiroPayload to extract conversationId and continuationId from messages[].additional_kwargs and set AgentTaskType.
  • Added extractMetadataFromMessages helper function.
• internal/translator/kiro/openai/kiro_openai_request.go
  • Added AgentContinuationID and AgentTaskType fields to KiroConversationState.
  • Modified BuildKiroPayloadFromOpenAI to extract conversationId and continuationId from messages[].additional_kwargs and set AgentTaskType.
  • Added extractMetadataFromMessages helper function.
• sdk/auth/kiro.go
  • Modified Login function to extract IDC login options from opts.Metadata and pass them to ssoClient.LoginWithMethodSelection.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces comprehensive support for AWS IAM Identity Center (IDC) authentication within the CLI, alongside significant refactoring of Kiro's internal authentication and API request mechanisms. Key changes include adding new CLI flags (--kiro-idc-login, --kiro-idc-start-url, --kiro-idc-region, --kiro-idc-flow) and updating README.md files to document these new login methods. The authentication flow now supports both device code and authorization code flows for IDC. Internally, the fingerprinting system has been overhauled to use a global, configurable manager that generates deterministic, account-specific fingerprints for various SDK versions (OIDC, runtime, streaming) and OS/Node/Kiro versions, replacing previous static or less dynamic User-Agent headers. API request functions have been refactored to dynamically determine endpoints and apply these new fingerprint-based headers. The handling of profileArn and user email fetching has been improved, with profileArn now being suppressed for Builder ID and AWS SSO OIDC methods to prevent 403 errors, and fetched dynamically for imported accounts if missing. Additionally, the KiroKey configuration now supports start-url and region fields for pre-configuring IDC details, and a new KiroFingerprintConfig allows overriding default fingerprint values. Conversation state handling for Claude and OpenAI requests has been enhanced to extract conversationId and continuationId from message metadata, improving session continuity.