Closed bernays closed 6 years ago
itrestian
commented
6 years ago Not sure exactly what you are using but when calling getSession on the Auth SDK, that should refresh tokens automatically (it checks access token for validity and if the refresh token can be used).
https://github.com/aws/amazon-cognito-auth-js/blob/master/src/CognitoAuth.js#L214
bernays
commented
6 years ago @itrestian the default way that it was setup was using a an implicit grant which meant that there was no refresh token retrieved.
I found the following package which automatically grabbed the tokens and stored them locally: https://github.com/aws/amazon-cognito-auth-js
itrestian
commented
6 years ago Got it, so this shouldn't happen anymore.
gregkowalski
commented
6 years ago @bernays even with the https://github.com/aws/amazon-cognito-auth-js package, I'm finding that when using the implicit flow I never get the refresh_token back from the AWS Hosted UI. I only get back the id_token and access_token but those can't be used to refresh the session. The getSession() on the Auth SDK (https://github.com/aws/amazon-cognito-auth-js/blob/master/src/CognitoAuth.js#L214) relies on the refresh_token to refresh the session and, after the session has expired, if it's not present it'll just return undefined. In which case, unless I'm missing something, I suppose the only solution is to redirect the user back to the Hosted UI login page again and ask them for their credentials.
kyarosh
commented
6 years ago As a point of clarification, the reason that a refresh token is not returned is because the OAuth 2.0 framework dictates that an authorization server must not return refresh tokens during implicit grants.
In general when using OAuth 2.0, it's best practice to use the authorization code grant wherever possible, only implementing the implicit grant if there's some specific design constraint that prevents the auth code grant from being feasible.
It is straightforward to setup the Hosted UI Cognito solution for the initial user log in and to get AWS credentials from the id_token. but I have gotten stuck on how to refresh or extend the user's session past 1 hour. Has anyone managed to figure out how to extend the id_tokens life beyond the 1 hr mark or at least refresh the token in the background?