How to get long-lived indentity provider tokens for JS code in browser

Question

I am implementing Js browser side code login with Fb, Amazon,Twitter,google with cognito.

Have gotten to the stage where I can get client tokens for all 4, but the problem these tokens are short-lived and expire in 1-2 hours.

Research shows Google token lasts only 1 hour, to extend life requires server-side code.

FB token lasts 2 hrs, auto-refreshes, but only while the user is logged-in. The token Will have expired next time user comes back (say after 2 days). Once again, this requires server-side code to get longer-lived token.

Amazon token is valid for 1 hour and Twitter tokens do not expire.

All help appreciated (links to documentation, experience etc.).

JS on browser (not node.js)

Using Cognito, but AFAIK it doesn't have any bearing on the life of tokens.

Corrections are also welcome.

Answer 1

It's not a good idea to try to prolongue the short-lived access tokens in the browser (although it would be possible, at least for FB), because then you'd have to expose your app's secret in you JS application, where everybody could theoretically steal it from.

You could loose the access to your social apps that way. So, it makes much more sense to do this on the server side.

See

• https://developers.facebook.com/docs/facebook-login/security
• https://developers.facebook.com/docs/facebook-login/access-tokens#portabletokens
• https://developers.facebook.com/docs/facebook-login/access-tokens#apptokens

Note that because this request uses your app secret, it must never be made in client-side code or in an app binary that could be decompiled. It is important that your app secret is never shared with anyone. Therefore, this API call should only be made using server-side code.