Force token refresh

[rayhaanq]

I noticed this piece of functionality is not yet implemented.

AuthSessionOutput.dart
// TODO: Implement force refresh when/if amplify-libraries support it

I have a use case where the user logs in for the first time and they fill in their profile info. A profile is created and the profileId is added as an attribute to the user. Api calls made after this require the profileId attribute to be present but the token is out of date and needs refreshing to include the profileId

I understand that I can create a trigger function to pre-create the profile and add the attribute to the user, but would prefer to avoid this.
Is there a timeline when this will get done? Or is there any workaround for this?

Thanks

[autthapol-k]

Any update or work around for this?

I still see this comment on onFetchAuthSession method that mean it is not yet implemented.
// TODO: Implement forceRefresh when/if supported by Amplify libs

Strong hopefully this will be accomplish soon.

[Jordan-Nelson]

Hello @rayhaanq and @autthapol-k - Thank your for opening this issue. This is not something that is being actively worked on, but it has been a feature request in the amplify native libraries as well. I am going to link those issues for reference. We will continue to use this issue to track interest in manually/proactively refreshing the token.

amplify-ios: aws-amplify/amplify-swift#1179
android-sdk: aws-amplify/aws-sdk-android#696
amplify-android: aws-amplify/amplify-android#1283

[erfactor]

Any update on this?

[Jordan-Nelson]

@erfactor - I don't have an update for this at the moment.

@rayhaanq - When you say, "A profile is created and the profileId is added as an attribute to the user," are you using the Auth user attribute APIs (Amplify.Auth.updateUserAttribute()) to do this?

This issue has received a fair amount of 👍 s. I would like to make sure we understand the various use cases for forcing a token refresh. If you have a use case that is different than @rayhaanq's, please feel free to share it.

[AllenKaplan]

In our use case, we have the user create an account, and the next screen is to add an invite code

adding the invite code should add them to the invited group via backend having a cognito client and using AdminAddToGroup(...)

Our issue is on the next screen which needs the token to have the invited group, yet they have an old token before it was added

since we can't refresh our token, our options are to

1. force user sign out
2. use an alternative method of validating invited

both these options are bad as 1. breaks user flow and 2. is hacky solution

Is this on your radar to be fixed? Frankly, without this being fixed in the next 4 weeks, we will be moving to supertokens (https://github.com/supertokens/supertokens-core) as refreshing tokens is a basic use case

If you have an alternative solution, please lmk

cc @Jordan-Nelson

[lastrucci01]

Hello, I am a CS student working on our Capstone project and I would just like to add on that we are experiencing a similar issue.

Problem
We have created a multi-tenant app using Amplify Flutter that uses Cognito Userpool groups and we have opted to allow Social Sign in, this means there is no registration process so we check their access token to see if they are assigned to one of our groups and if not, prompt them to pick one and then use the AdminAddToGroup() in a subsequent lamda function.
Thereafter fetching the auth session again to check the access token to see that it has not been updated...

Possible solution, yet to verify
I have searched the internet up & down and there seems to be some Cognito IntiateAuth function that can return a refreshed Auth session but I am unsure if that works with Social Sign in and unsure of how to use it in Flutter.
I think I can pass it off to a Lamda function - which currently I only know how to invoke from Flutter with our AppSync API - but I don't think it's a good idea to pass the tokens around and then I assume I have to pass the whole session back through the API which feels unsafe...
Alternatively I might be able to make the same IntiateAuth function through a request in flutter to Cognito's REST api (which might still be unsafe), but I have yet to find a good resources on that.
This is, of course, assuming that IntiateAuth does what I intend it to...

The long and the short of it, please allow a force refresh token for Amplify Flutter,
as @AllenKaplan mentioned, it is a basic use case.

[AllenKaplan]

@lastrucci01 funny enough I was also working on my capstone project!

We ended up switching to Ory Cloud which doesn't have the same issues -- Amplify Flutter was a frustrating experience and Cognito's inflexibility was another pressure point

[dnys1]

Apologies for the delay on this issue. We are actively working on the API design for a force refresh and expect to have it implemented soon after. Thank you for your patience!

[lastrucci01]

Good day friends! I have verified the Cogntio IntiateAuth API Call does indeed work,
I made a Post request from flutter to Cognitos REST API specifying "REFRESH_TOKEN_AUTH" and when decoding the returned access token I have updated user groups 🎉

The AWS Docs for the API Call
https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html
How to make a post request in flutter
https://docs.flutter.dev/cookbook/networking/send-data
This medium article helped me a lot, but it's in JS
https://medium.com/tensult/how-to-refresh-aws-cognito-user-pool-tokens-d0e025cedd52

So far the only issues I have identified is that I don't seem to get a new Refresh Token back, and the usual Amplify.Auth.fetchAuthSession() remains stale, but otherwise, I'm happy :)

[matt-in-brissy]

Good day friends! I have verified the Cogntio IntiateAuth API Call does indeed work, I made a Post request from flutter to Cognitos REST API specifying "REFRESH_TOKEN_AUTH" and when decoding the returned access token I have updated user groups 🎉

Yes, I concur - this indeed works as expected, although I'd prefer not to have to post this request separately to refresh the access token each time it runs out.

[mridboy96]

Hello
I wanted to know the status of this at the moment. Will there be a feature update giving us the option to forceRefresh the token ?
I believe the best way to achieve this at the moment is to manually make an InitiateAuth API call with REFRESH_TOKEN_AUTH as the type of authentication

[dnys1]

Apologies for the delay updating this issue. This feature has been released in our developer-preview version of the library.

environment:
  sdk: ">=2.17.0 <3.0.0"

dependencies:
  flutter:
    sdk: flutter

  amplify_flutter: ^1.0.0-next.0
  amplify_auth_cognito: ^1.0.0-next.0

final session = await Amplify.Auth.fetchAuthSession(
  options: const CognitoSessionOptions(forceRefresh: true),
) as CognitoAuthSession;

This should resolve outstanding issues around user attributes not updating in the cached access/ID tokens.

[brunovsiqueira]

Hi there.

@dnys1 is there any forecast regarding the new Amplify Flutter (1.0.0) release date? I am waiting for some feature/fixes that are only available there.

[Jordan-Nelson]

Support for this has been added in v1.0.0 of Amplify Flutter, which is now stable. This release also includes web and desktop support for Auth, API, Analytics, and Storage. You can see the list of new features and bug fixes in the release notes, and see more details on how to migrate in the upgrade guide.

You can use forceRefresh as in the example below:

final result = await Amplify.Auth.fetchAuthSession(
  options: const FetchAuthSessionOptions(forceRefresh: true),
);

If you need to access the token, you can use Auth.getPlugin to get a reference to the Cognito auth plugin to avoid having to cast the result, which was required in v0. See the example below:

final cognitoPlugin = Amplify.Auth.getPlugin(AmplifyAuthCognito.pluginKey);
final result = await cognitoPlugin.fetchAuthSession(
  options: const FetchAuthSessionOptions(forceRefresh: true),
);
final identityId = result.userPoolTokensResult.value.accessToken;