Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

What is aws-amplify's Default Behavior When a Refresh Token Expires? #4438

Closed
ErikOwen opened this issue Nov 21, 2019 · 9 comments · Fixed by #9628
Closed

What is aws-amplify's Default Behavior When a Refresh Token Expires? #4438

ErikOwen opened this issue Nov 21, 2019 · 9 comments · Fixed by #9628
Assignees
@jamesaucode
Labels
Auth Related to Auth components/category feature-request Request a new feature

Comments

@ErikOwen
Copy link

Which Category is your question related to?
Auth

What AWS Services are you utilizing?
AWS Cognito

Provide additional details e.g. code snippets
My stack is a React application using aws-amplify to authenticate with AWS Cognito identity pool.

I am wondering what happens when a user authenticates into an app that is using AWS Amplify, and the refresh token validity expires for that user? Will aws-amplify automatically send the user to AWS Cognito for re-authentication? If not, is there a Hub event to catch when a user's refresh token expires?
@ErikOwen ErikOwen added the question General question label Nov 21, 2019
@haverchuck
Copy link
Contributor

When you say 'send the user to AWS Cognito for re-authentication', am I correct in assuming that you are using Hosted UI?

@ErikOwen
Copy link
Author

Yes, I am using the Hosted UI.

@iartemiev
Copy link
Member

When the refresh token expires, Amplify does not automatically sign the user out nor send the user to Hosted UI.

Hub does not currently emit an event when a refresh token expires.

What behavior would best work for your use case in this scenario? Please feel free to describe it in a new feature request.

@ErikOwen
Copy link
Author

Is your feature request related to a problem? Please describe.
When the current user's refresh token expires, there is no easy way for the application to know when that happens. When refresh tokens expire certain applications may want to send the user to re-authenticate, or display a dialog notifying the user that their session has expired and they need to log in again.

Describe the solution you'd like
A hub authentication event channel is created for the application to listen for the event of when the user's refresh token expires.

Describe alternatives you've considered
The user is automatically sent back to the hosted UI to re-authenticate when the refresh token expires (but this solution does not provide as much flexibility).

Additional context
In my scenario I have a react application using aws-amplify for authentication with a Cognito Identity pool. For security reasons the refresh token expiration is set to 1 day (the minimum allowed by Cognito). After a signed in user's refresh token expires, the user is still logged in, but no calls to Cognito or the application's backend work. We need a way to know when the current logged in user's refresh token expires so we can sign the user out or force the user to re-authenticate by sending them to the hosted UI.

@mauerbac
Copy link
Member

Hi @ErikOwen - thanks for providing this info. I will make this a feature request and leave this open so the team can address it.

@mauerbac mauerbac added feature-request Request a new feature Auth Related to Auth components/category and removed question General question labels Apr 24, 2020
@grothem
Copy link

grothem commented Dec 22, 2021

Hi @mauerbac, I was just curious if there was any update on this feature request. It would be very helpful for our team right now, as we're looking for a way to redirect users to the sign-in page when their token expires.

Do you know of any workarounds for this in the mean time?

@sammartinez
Copy link
Contributor

Hey everyone,

Reading on this feature request, I do want to callout what we offer in the library today. We do have a Hub event listener around token expiration that you can listen to and redirect your customers base on that listener coming back that the token was refreshed. Since we do not own the Hosted UI implementation, the Amazon Cognito team does, this is our recommendation.

As for the callout around the expiration of the token only being able to be set to 1 day, there was an update last to allow yourself to set the expiration between 60 mins to 10 years. Please see the Whats new post here. If I am not understanding the use case correctly, please share some code snippets and/or more data on this for us. Thanks again!

@jamesaucode jamesaucode mentioned this issue Mar 9, 2022
Merged
4 tasks
@jamesaucode
Copy link
Contributor

From 4.3.16 onward, Auth will automatically handle invalid sessions. The default behavior is to clear all the cached tokens and dispatch a signOut event to Hub, or if you signed in through HostedUI it will automatically redirect user to the oAuth signout URL.

@github-actions
Copy link

This issue has been automatically locked since there hasn't been any recent activity after it was closed. Please open a new issue for related bugs.

Looking for a help forum? We recommend joining the Amplify Community Discord server *-help channels or Discussions for those types of questions.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 11, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@jamesaucode jamesaucode

Labels
Auth Related to Auth components/category feature-request Request a new feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: Invalid session cleanup jamesaucode/amplify-js
7 participants
@mauerbac @ErikOwen @sammartinez @haverchuck @grothem @iartemiev @jamesaucode