I'm using AWS for my website. After 1 hour the token expires and the user pretty much can't do anything.
For now i'm trying to refresh the credentials like this:
function getTokens(session) { return { accessToken: session.getAccessToken().getJwtToken(), idToken: session.getIdToken().getJwtToken(), refreshToken: session.getRefreshToken().getToken() }; }; function getCognitoIdentityCredentials(tokens) { const loginInfo = {}; loginInfo[`cognito-idp.eu-central-1.amazonaws.com/eu-central-1_XXX`] = tokens.idToken; const params = { IdentityPoolId: AWSConfiguration.IdPoolId Logins: loginInfo }; return new AWS.CognitoIdentityCredentials(params); }; if(AWS.config.credentials.needsRefresh()) { clearInterval(messwerte_updaten); cognitoUser.refreshSession(cognitoUser.signInUserSession.refreshToken, (err, session) => { if (err) { console.log(err); } else { var tokens = getTokens(session); AWS.config.credentials = getCognitoIdentityCredentials(tokens); AWS.config.credentials.get(function (err) { if (err) { console.log(err); } else { callLambda(); } }); } }); } the thing is, after 1hour, the login token gets refreshed without a problem, but after 2hrs i can't refresh the login token anymore.
i also tried using AWS.config.credentials.get(), AWS.config.credentials.getCredentials() and AWS.config.credentials.refresh() which doesn't work either.
The error messages i'm getting are:
Missing credentials in config
Invalid login token. Token expired: 1446742058 >= 1446727732
2 Answers
Answers 1
Usually it's solved by intercepting http requests with additional logic.
function authenticationExpiryInterceptor() { // check if token expired, if yes refresh } function authenticationHeadersInterceptor() { // include headers, or no }} then with use of HttpService layer
return HttpService.get(url, params, opts) { return authenticationExpiryInterceptor(...) .then((...) => authenticationHeadersInterceptor(...)) .then((...) => makeRequest(...)) } It could be solved by proxy as well http://2ality.com/2015/10/intercepting-method-calls.html
In relation to AWS: https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/Credentials.html
You're interested in:
- getPromise()
- refreshPromise()
Answers 2
Here is how I implemented this:
First you need to authorize the user to the service and grant permissions:
Sample request:
Here is how I implemented this:
First you need to authorize the user to the service and grant permissions:
Sample request:
POST https://mydomain.auth.us-east-1.amazoncognito.com/oauth2/token& Content-Type='application/x-www-form-urlencoded'& Authorization=Basic aSdxd892iujendek328uedj grant_type=authorization_code& client_id={your client_id} code=AUTHORIZATION_CODE& redirect_uri={your rediect uri} This will return a Json something like:
HTTP/1.1 200 OK Content-Type: application/json
{"access_token":"eyJz9sdfsdfsdfsd", "refresh_token":"dn43ud8uj32nk2je","id_token":"dmcxd329ujdmkemkd349r", "token_type":"Bearer", "expires_in":3600} Now you need to get an access token depending on your scope:
POST https://mydomain.auth.us-east-1.amazoncognito.com/oauth2/token Content-Type='application/x-www-form-urlencoded'& Authorization=Basic aSdxd892iujendek328uedj grant_type=client_credentials& scope={resourceServerIdentifier1}/{scope1} {resourceServerIdentifier2}/{scope2} Json would be:
HTTP/1.1 200 OK Content-Type: application/json
{"access_token":"eyJz9sdfsdfsdfsd", "token_type":"Bearer", "expires_in":3600} Now this access_token is only valid for 3600 secs, after which you need to exchange this to get a new access token. To do this,
To get new access token from refresh Token:
POST https://mydomain.auth.us-east-1.amazoncognito.com/oauth2/token > Content-Type='application/x-www-form-urlencoded' Authorization=Basic aSdxd892iujendek328uedj grant_type=refresh_token& client_id={client_id} refresh_token=REFRESH_TOKEN Response:
HTTP/1.1 200 OK Content-Type: application/json
{"access_token":"eyJz9sdfsdfsdfsd", "refresh_token":"dn43ud8uj32nk2je", "id_token":"dmcxd329ujdmkemkd349r","token_type":"Bearer", "expires_in":3600} You get the picture right.
If you need more details go here.
0 comments:
Post a Comment