Missing requirement for using cognito auth for web.

[rcfrias]

I think it is important to mention that in the app client settings at the cognito console, "Implicit grant" has to be enabled. Otherwise the authentication will fail no matter what the user does.

[dinvlad]

For a regular web app, it could also be "Authorization code", in which case you'd need to use auth.useCodeGrantFlow(); as specified in the example, and then POST a request from your backend to /oauth2/token with code in the body and state in Authorization: Basic <state> header. There are a few more parameters, for details see the first example in http://docs.aws.amazon.com/cognito/latest/developerguide/token-endpoint.html (there's also a more secure version if your app has a secret).

Implicit flow (appropriate for client-side apps) will return access and id tokens valid for 1 hour, while authorization code flow (for server-side apps) would also give you a refresh token that you could reuse for a configurable time (sorry if this is already obvious, just wanted to throw in my 2c).

I only wish tokens returned by implicit flow could be configured to last longer (e.g. 12h), even though they cannot be renewed for security reasons. Otherwise, we have to logout our users every hour, or just ignore the expiration time from the token on our backend (instead, we can use iat + 12h or so).

[rcfrias]

Good extra info. I think both scenarios must be clearly explained in the docs, as right now its too ambiguous and non-self-explanatory.