fix(credential-provider-sso): accept all unexpired tokens as unexpired (#5124)

Author: kellertk

packages/credential-provider-sso/src/resolveSSOCredentials.spec.ts

@@ -97,11 +97,6 @@ describe(resolveSSOCredentials.name, () => {
       const mockExpiredToken = { ...mockToken, expiresAt: new Date(Date.now() - 60 * 1000).toISOString() };
       (getSSOTokenFromFile as jest.Mock).mockResolvedValue(mockExpiredToken);
     });
-
-    it("throws error if SSO session expires in <15 mins", async () => {
-      const mockExpiredToken = { ...mockToken, expiresAt: new Date(Date.now() + 899 * 1000).toISOString() };
-      (getSSOTokenFromFile as jest.Mock).mockResolvedValue(mockExpiredToken);
-    });
   });
 
   describe("throws error on sso.getRoleCredentials call", () => {

packages/credential-provider-sso/src/resolveSSOCredentials.ts

@@ -6,14 +6,6 @@ import { AwsCredentialIdentity } from "@smithy/types";
 
 import { FromSSOInit, SsoCredentialsParameters } from "./fromSSO";
 
-/**
- * The time window (15 mins) that SDK will treat the SSO token expires in before the defined expiration date in token.
- * This is needed because server side may have invalidated the token before the defined expiration date.
- *
- * @internal
- */
-const EXPIRE_WINDOW_MS = 15 * 60 * 1000;
-
 const SHOULD_FAIL_CREDENTIAL_CHAIN = false;
 
 /**
@@ -52,7 +44,7 @@ export const resolveSSOCredentials = async ({
     }
   }
 
-  if (new Date(token.expiresAt).getTime() - Date.now() <= EXPIRE_WINDOW_MS) {
+  if (new Date(token.expiresAt).getTime() - Date.now() <= 0) {
     throw new CredentialsProviderError(
       `The SSO session associated with this profile has expired. ${refreshMessage}`,
       SHOULD_FAIL_CREDENTIAL_CHAIN