amazon-archives / aws-cognito-angular-quickstart

An Angular(v5)-based QuickStart single-page app utilizing Amazon Cognito, S3, and DynamoDB (Serverless architecture)
https://cognito.budilov.com
Apache License 2.0
689 stars 302 forks source link

Credentials not being refreshed #83

Closed wansco closed 7 years ago

wansco commented 7 years ago

Steps to repeat:

If you do a full refresh it works, but that shouldn't be required.

vbudilov commented 7 years ago

Yes, since the DDB client library is used to retrieve the appropriate user-specific records, it needs to be re-initialized every hour since the tokens are only valid for one hour. You'll need to create some logic to check whether the tokens have expired already and then do a refresh and re-instantiate the DDB client.

wansco commented 7 years ago

I tried shortcutting it by adding this code to CognitoUtil, but that didn't seem to fix it.

    constructor() {
        console.log("In CognitoUtil constructor");
        let DoRefresh = () => {
            console.log("Calling CognitoUtil.refresh()...");
            this.refresh();
        }
        setInterval(DoRefresh, 15 * 60 * 1000);
    }

Can the tokens be refreshed before they expire?

Does the DDB client need to be re-instantiated? It seems that it is using the same CognitoUtil instance that the above code would be refreshing. It does not appear that CognitoUtil.refresh() updates the local credentials the way it does when the user is first authenticated.

If I keep refreshing the session, are the initially obtained credentials still valid, or do those need to be updated as well?

vbudilov commented 7 years ago

Yes, the DDB client needs to be re-instantiated.

bartekmarnane commented 7 years ago

@wansco Did you get a working shortcut happening? I have the same issue and not sure how to approach. I suspect calling refreshToken if it's expired?

wansco commented 7 years ago

I never got it working. I like the idea of cognito and the whole serverless infrastructure, but minor things like this and convoluted documentation on the database end led me to the conclusion that it's got a ways to go

brianwashington commented 7 years ago

Are there any updates/workarounds for this issue?

vbudilov commented 7 years ago

Yes, the DDB client needs to be re-instantiated every hour. So you might want to include code that checks if the token hasn't expired, and if it has, get new tokens using the refreshtoken and re-instantiate the DDB object.

brianwashington commented 7 years ago

@vbudilov Thanks for the fast response. I'll give that a try.

brianwashington commented 7 years ago

@vbudilov The token that you mentioned, is that the Cognito token or is there a separate token for Dynamo that we can check?

vbudilov commented 7 years ago

You should use the refresh token to get a new Id token, and then re-instantiate the DDB client: http://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html