- JavaScript 100%
| src | ||
| .gitignore | ||
| package.json | ||
| README.md | ||
Kiro AWS Builder ID — Standalone Auth Backend
Backend otentikasi Kiro yang diekstrak dari 9router. Menangani login AWS Builder ID, AWS IAM Identity Center, Social Login (Google/GitHub), dan Import Token — lalu menyimpan session ke SQLite.
Instalasi
cd kiro-awsbuilder
npm install
Menjalankan
npm start
# Server berjalan di http://localhost:3200
Port bisa diubah via environment variable PORT.
Metode Otentikasi
| Metode | Deskripsi |
|---|---|
| AWS Builder ID | Device Code Flow (default, gratis) |
| AWS IAM Identity Center (IDC) | Device Code Flow dengan startUrl & region custom |
| Google / GitHub | Social Login via PKCE + manual callback |
| Import Token | Paste atau auto-detect refresh token dari ~/.aws/sso/cache/ |
Penggunaan
1. AWS Builder ID (Device Code Flow)
Alur standar OAuth Device Code Flow (RFC 8628). Server berfungsi sebagai perantara antara client dan AWS SSO OIDC.
Step 1: Request Device Code
curl http://localhost:3200/api/kiro/device-code
Response:
{
"device_code": "AQUAAAAK...",
"user_code": "XTLF-CQNW",
"verification_uri": "https://device.sso.us-east-1.amazonaws.com/",
"verification_uri_complete": "https://device.sso.us-east-1.amazonaws.com/?user_code=XTLF-CQNW",
"expires_in": 600,
"interval": 5,
"_clientId": "...",
"_clientSecret": "...",
"_region": "us-east-1",
"_authMethod": "builder-id",
"_startUrl": "https://view.awsapps.com/start"
}
Step 2: User Buka URL di Browser
Buka verification_uri_complete di browser. User akan diminta login dengan AWS Builder ID dan mengotorisasi.
Step 3: Poll Token
Selama user belum selesai otorisasi, poll setiap interval detik (default 5 detik):
curl -X POST http://localhost:3200/api/kiro/poll \
-H "Content-Type: application/json" \
-d '{
"deviceCode": "<device_code>",
"extraData": {
"_clientId": "<dari step 1>",
"_clientSecret": "<dari step 1>",
"_region": "us-east-1",
"_authMethod": "builder-id",
"_startUrl": "https://view.awsapps.com/start"
}
}'
Belum authorize:
{ "success": false, "error": "authorization_pending", "pending": true }
Sudah authorize:
{ "success": true, "session": { "id": "uuid", "email": "user@example.com" } }
Ditolak / expired:
{ "success": false, "error": "access_denied", "errorDescription": "..." }
Contoh Script Otomatis (Bash)
#!/bin/bash
BASE=http://localhost:3200
# Step 1: Dapatkan device code
DATA=$(curl -s $BASE/api/kiro/device-code)
DEVICE_CODE=$(echo $DATA | jq -r '.device_code')
VERIFY_URL=$(echo $DATA | jq -r '.verification_uri_complete')
EXTRA=$(echo $DATA | jq -c '{_clientId, _clientSecret, _region, _authMethod, _startUrl}')
INTERVAL=$(echo $DATA | jq -r '.interval')
echo "Buka URL ini di browser:"
echo "$VERIFY_URL"
echo ""
echo "Polling token..."
# Step 2: Poll sampai dapat token
for i in $(seq 1 60); do
sleep $INTERVAL
RESULT=$(curl -s -X POST $BASE/api/kiro/poll \
-H "Content-Type: application/json" \
-d "{\"deviceCode\":\"$DEVICE_CODE\",\"extraData\":$EXTRA}")
SUCCESS=$(echo $RESULT | jq -r '.success')
if [ "$SUCCESS" = "true" ]; then
echo "Berhasil! Session:"
echo $RESULT | jq .
break
fi
PENDING=$(echo $RESULT | jq -r '.pending')
if [ "$PENDING" = "true" ]; then
echo "[$i] Menunggu otorisasi..."
else
echo "Gagal: $(echo $RESULT | jq -r '.error')"
break
fi
done
2. AWS IAM Identity Center (IDC)
Sama dengan Builder ID, tetapi dengan parameter tambahan:
curl "http://localhost:3200/api/kiro/device-code?start_url=https://your-org.awsapps.com/start®ion=ap-southeast-1&auth_method=idc"
Lanjutkan dengan poll sama seperti Builder ID.
3. Import Token
Auto-Detect dari AWS SSO Cache
Membaca ~/.aws/sso/cache/ untuk mencari token Kiro:
curl http://localhost:3200/api/kiro/auto-import
{
"found": true,
"refreshToken": "aorAAAAAG...",
"source": "kiro-auth-token.json"
}
Manual Import
Paste refresh token langsung:
curl -X POST http://localhost:3200/api/kiro/import \
-H "Content-Type: application/json" \
-d '{"refreshToken": "aorAAAAAG..."}'
4. Social Login (Google/GitHub)
Catatan: Social login memerlukan manual callback karena redirect URL menggunakan custom protocol
kiro://.
Step 1: Generate Auth URL
curl "http://localhost:3200/api/kiro/social-authorize?provider=google"
{
"authUrl": "https://prod.us-east-1.auth.desktop.kiro.dev/login?idp=Google&...",
"state": "...",
"codeVerifier": "...",
"provider": "google"
}
Step 2: User Login di Browser
Buka authUrl di browser. Setelah login, browser redirect ke kiro://kiro.kiroAgent/authenticate-success?code=XXX&state=YYY. Copy URL lengkap dari address bar.
Step 3: Exchange Code
curl -X POST http://localhost:3200/api/kiro/social-exchange \
-H "Content-Type: application/json" \
-d '{
"code": "<dari callback URL>",
"codeVerifier": "<dari step 1>",
"provider": "google"
}'
Session Management
List Semua Session
curl http://localhost:3200/api/sessions
Detail Session (auto-refresh jika token hampir expired)
curl http://localhost:3200/api/sessions/<session_id>
Hapus Session
curl -X DELETE http://localhost:3200/api/sessions/<session_id>
Health Check
curl http://localhost:3200/health
Struktur Project
kiro-awsbuilder/
├── package.json
└── src/
├── server.js # Express server entry point
├── oauth/
│ ├── config.js # KIRO_CONFIG (AWS endpoints, scopes)
│ ├── pkce.js # PKCE generator
│ ├── kiroService.js # KiroService class
│ ├── deviceFlow.js # Device Code Flow logic
│ └── tokenRefresh.js # Token refresh (proactive)
├── db/
│ ├── schema.js # SQLite schema (kiro_sessions)
│ ├── jsonCol.js # JSON helpers
│ └── sessions.js # Session CRUD + dedup by email
└── routes/
├── oauth.js # /api/kiro/*
└── sessions.js # /api/sessions/*
API Endpoints
| Method | Endpoint | Body / Params | Deskripsi |
|---|---|---|---|
GET |
/api/kiro/device-code |
?start_url=®ion=&auth_method= |
Request device code |
POST |
/api/kiro/poll |
{ deviceCode, extraData } |
Poll token |
GET |
/api/kiro/auto-import |
— | Auto-detect token dari ~/.aws/sso/cache/ |
POST |
/api/kiro/import |
{ refreshToken } |
Import manual refresh token |
GET |
/api/kiro/social-authorize |
?provider=google|github |
Generate social login URL |
POST |
/api/kiro/social-exchange |
{ code, codeVerifier, provider } |
Exchange social auth code |
GET |
/api/sessions |
— | List semua session aktif |
GET |
/api/sessions/:id |
— | Detail session (auto-refresh token) |
DELETE |
/api/sessions/:id |
— | Hapus session |
GET |
/health |
— | Health check |
Penyimpanan Data
Session disimpan di SQLite (data/data.sqlite) dengan schema:
| Field | Keterangan |
|---|---|
id |
UUID primary key |
email |
Email dari JWT |
accessToken |
JWT access token |
refreshToken |
Refresh token |
expiresAt |
ISO timestamp expiry |
authMethod |
builder-id, idc, google, github, imported |
providerSpecificData |
JSON (clientId, clientSecret, region, startUrl) |
isActive |
Status aktif |
Dedup otomatis: jika login lagi dengan email yang sama, session di-update (bukan dibuat baru).