fix(gen2-migration): convert OIDC TTL values from milliseconds to seconds

[dgandhi62]

Solves #14812.

Issue Summary

When migrating a Gen 1 GraphQL API with OIDC as an additional authorization provider to Gen 2, the tokenExpiryFromAuthInSeconds and tokenExpireFromIssueInSeconds fields in the generated oidcAuthorizationMode config receive incorrect values. The AppSync OpenIDConnectConfig stores authTTL and iatTTL in milliseconds, but the migration code passes them through to the Gen 2 output (which expects seconds) without dividing by 1000.

The issue also mentions clientId — the renderer already handles clientId correctly (it emits it when present in the authConfig). The clientId concern in the issue is about the Gen 2 @aws-amplify/backend-data type definition not exposing the property, which is outside the scope of the migration CLI.

Reasoning

1. Read the issue: two bugs reported — missing clientId and wrong TTL values.
2. Searched for the OIDC code path in data.renderer.ts → found addOidcConfig() method.
3. Verified the renderer already emits clientId when cfg.clientId is present — no bug there.
4. Checked the AppSync OpenIDConnectConfig documentation — authTTL and iatTTL are in milliseconds.
5. Confirmed the authConfig in amplify-meta.json stores TTL values in milliseconds (matching the AppSync/CFN format).
6. Found the renderer passes cfg.authTTL directly to tokenExpiryFromAuthInSeconds without conversion — this is the bug.
7. The existing test used authTTL: 3600 (already in seconds), masking the bug. Updated the test to use authTTL: 3600000 (milliseconds) to match real data.

Solution

packages/amplify-cli/src/commands/gen2-migration/generate/amplify/data/data.renderer.ts

• In addOidcConfig(), divide cfg.authTTL and cfg.iatTTL by 1000 (using Math.floor) before emitting them as tokenExpiryFromAuthInSeconds and tokenExpireFromIssueInSeconds.

packages/amplify-cli/src/__tests__/commands/gen2-migration/generate/amplify/data/data.generator.test.ts

• Updated the OIDC test mock data to use millisecond values (authTTL: 3600000, iatTTL: 7200000) matching the real authConfig format from amplify-meta.json.

Example

Input (Gen 1 / pre-generate):

amplify-meta.json → api.testApi.output.authConfig:

{
  "additionalAuthenticationProviders": [
    {
      "authenticationType": "OPENID_CONNECT",
      "openIDConnectConfig": {
        "name": "MyOIDC",
        "issuerUrl": "https://example.com",
        "clientId": "client123",
        "authTTL": 3600000,
        "iatTTL": 7200000
      }
    }
  ]
}

Output — before fix (post-generate):

oidcAuthorizationMode: {
  oidcProviderName: 'MyOIDC',
  oidcIssuerUrl: 'https://example.com',
  clientId: 'client123',
  tokenExpiryFromAuthInSeconds: 3600000,  // wrong — milliseconds passed through
  tokenExpireFromIssueInSeconds: 7200000, // wrong — milliseconds passed through
},

Output — after fix (post-generate):

oidcAuthorizationMode: {
  oidcProviderName: 'MyOIDC',
  oidcIssuerUrl: 'https://example.com',
  clientId: 'client123',
  tokenExpiryFromAuthInSeconds: 3600,  // correct — 3600000ms / 1000 = 3600s
  tokenExpireFromIssueInSeconds: 7200, // correct — 7200000ms / 1000 = 7200s
},