figure out JWT refresh - Githubissues

LD4P / sinopia_server

[Deprecated - switching to MongoDB] Sinopia Back-end CRUD Service. LDP-inspired, HTTP Server taking JSON-LD resources & administrative metadata.

Apache License 2.0

1 stars 1 forks source link

figure out JWT refresh #89

Closed jmartin-sul closed 5 years ago

jmartin-sul commented 5 years ago

problem

user logs in via cognito login page, gets redirected to sinopia w/ JWT
we take JWT and pass along to trellis in auth header, store... somewhere (in cookie? local storage?)
trellis, thankfully, respects ticket expiry time (3600 seconds)
since same JWT gets used continually, user gets hard timed out after 1 hour if they don't manually log in again (because JWT they've been using goes stale)

there are ways to do this using amazon's amplify JS SDK. not sure if that means we have to write our own login page, or if we can use the JWT we get from the vanilla cognito login page redirect to renew the session. will post some test code from friday in the comments.

acoburn commented 5 years ago

@jmartin-sul in case this is helpful, you may want to take a look at refresh tokens. They are part of the OAuth standard.

The basic idea with refresh tokens is that when a user logs in, the client application is presented with both a time-limited (JWT) token (which you're currently using to access trellis) as well as a refresh token that can be used with the identity server (cognito) to get new time-limited JWT tokens. This makes it possible to fetch new JWT tokens without requiring the user to go through the full login flow again. If a JWT is valid for 1 hour, a refresh token might be valid for much longer: 1 day, 1 week or even 1 month, depending on the needs of the application.

jmartin-sul commented 5 years ago

thanks, @acoburn! yup, i've been reading up on refresh tokens (and that first link was one of the things i came across). they're just new to me, as is the cognito JS tooling, so i'm mostly still in play around with things and figure out how to use them mode. my main two unknowns at this point are 1) can we get a refresh token from the cognito login redirect, and 2) can we use that refresh token with the amazon JS SDK to refresh the JWT. so far, the thing i've done that actually works is to login using amazon's amplify SDK (and then the cognito user object that was instantiated just has a refresh method on it -- so if we couldn't create such an object easily just from the refresh token, the next easiest thing seems like it'd be for us to write our own simple login page, which would use the amplify SDK to login, and then we could just use that cognito user object to refresh tokens as needed).

jmartin-sul commented 5 years ago

write our own simple login page, which would use the amplify SDK to login, and then we could just use that cognito user object to refresh tokens as needed

this is, indeed, what ended up happening in LD4P/sinopia_editor#460.