search

aws-amplify / amplify-flutter

A declarative library with an easy-to-use interface for building Flutter applications on AWS.
https://docs.amplify.aws
Apache License 2.0
1.31k stars 241 forks source link

Amplify manage credentials not working (session expired unintentionally always need custom handling) #3565

Closed uzairleo closed 1 year ago

uzairleo commented 1 year ago

Description

According to the latest amplify version 1 documentations its clearly mentioned "Amplify Flutter securely handles credentials and user identity information. You do not need to store, refresh, or delete credentials yourself. Amplify Flutter handles these operations using platform capabilities such as [Keychain Services]( on iOS and macOS and [EncryptedSharedPreferences]on Android" But this feature is not working we have setup cognito_auth_pool as our default authmode and APIKEY as additional authmode but amplify is not able to handle/manage the credentials internally as default option since the session is still getting expired according to the userpool configuration in our case the session get expired after 1 hours and 7 minute please share any fix related to this .

Categories

Steps to Reproduce

No response

Screenshots

Screenshot 2023-08-16 at 5 18 09 AM

Platforms

Flutter Version

3.10.6

Amplify Flutter Version

1.3.1

Deployment Method

Amplify CLI

Schema

No response

Jordan-Nelson commented 1 year ago

Hello @uzairleo - Amplify will automatically refresh the Access and ID tokens as long as the refresh token is valid. Once the refresh token expires, the user needs to be re-authenticated (with username & password, social sign in, etc). This is not Amplify specific. See the Cognito docs for more info about refresh tokens in Cognito.

From the screenshot, it appears that you have the refresh token configured to expire after 60 minutes, so the behavior you are experiencing would be expected.

If you are looking for refresh token rotation (where an updated refresh token is returned prior to the original token expiring), this is not currently supported by Cognito.

Please let me know if you have any questions.

uzairleo commented 1 year ago
Screenshot 2023-08-16 at 6 45 10 AM

yeap according to this docs i am assuming the experience that by default user will not have to request for new token , its something the amplify plugin will done internally link https://docs.amplify.aws/lib/auth/managing_credentials/q/platform/flutter/

uzairleo commented 1 year ago

Also does making refreshToken duration to 30 days and accesstoken and idtoken expiration both to 30 minutes will something worth configuring and in this case the user will session will not be expired or no need for user to re-authenticate right ?

Jordan-Nelson commented 1 year ago

The user will need to re-authenticate when the refresh token expires. The refresh token expiration is customizable between 60 minutes and 10 years. The expiration time you choose should depend on your use case. A token with a longer expiration time will not require frequent re-authentication, but also gives an attacker more time to abuse a stolen token.

Jordan-Nelson commented 1 year ago

I think the intention of the linked docs is to call out that refreshing the Access and ID tokens manually is not required, but I do see how it is potentially misleading. I'll discuss this with the team and see how we can improve them. Thanks for bringing it to our attention.

uzairleo commented 1 year ago

yeap I completely got your point now and I am clear on this refresh token thing , Also yeap will appreciate if you guys update the docs Thanks @Jordan-Nelson .

Jordan-Nelson commented 1 year ago

@uzairleo - The docs have been updated with a callout that the Access and ID token will be refreshed as long as the Refresh token is valid.

uzairleo commented 1 year ago

Thanks 🙏 amplify team