3

I have a cordova app that is using the cordova-plugin-googleplus to allow users to authenticate with their google+ account. The app also gives the user access to an S3 bucket to upload photos via the aws sdk. To make this happen we are using AWS Cognito with federated identities, which works pretty well.

The problem is that after 1 hour is no S3 activity, I start getting this error the next time the app tries to do an upload:

{
    "__type": "NotAuthorizedException",
    "message": "Invalid login token. Token expired: 1513206998 >= 1513197640"
}

Based on my research, the issue is that the google+ token is expiring and needs to be refreshed but I'm having trouble understanding how to do that. Note that this needs to be done in the background without the user knowing. It's not acceptable to ask the user to re-authenticate every hour.

Here is the login code:

window.plugins.googleplus.login(prams, obj => {
    let authData = {
        accessToken: obj.accessToken,
        idToken: obj.idToken
    };

    localStorage.setItem('authData', authData);
});

Then we it's time to access the S3 bucket:

let authData = localStorage.getItem('authData');

AWS.config.credentials = new AWS.CognitoIdentityCredentials({
    IdentityPoolId: 'my-cognito-identity-pool-id',
    Logins: { 'accounts.google.com': authData.idToken };
});

AWS.config.region = 'us-west-2;

AWS.config.credentials.getPromise()
    .then(() => {
        let s3 = new AWS.S3();

        let params = {
            Bucket: 'my-bucket',
            Key: 'my-key',
            Body: imageBytes,
            ContentType: 'image/jpeg'
        };

        s3.upload(params);
    });

My understanding is that I need to look for the error listed above and refresh the google+ token if it occurs, but I'm not sure how that is done. I don't see support for that in the cordova-plugin-googleplus library. Do I have to make an http request myself? How does that work? Presumably I need to save the refresh token after login and use that somehow.

d512
  • 32,267
  • 28
  • 81
  • 107

2 Answers2

2

According to this:

You need to take the oauth token and exchange it for the correct tokens (refresh/ access) on login

[...]

When a user needs their token refreshed (after 60 minutes) you must refresh it for them. Aka when you request a google api service and it sends you back a "token is invalid", you must eat the error and refresh the token and try the original request again.

If you still have an invalid token using the oauth2/v4 endpoint, you may have to use the oauth2/v1 endpoint:

https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=...

You may also take a look on google documentation and also you can find a php example here.

A. STEFANI
  • 6,707
  • 1
  • 23
  • 48
0

I was able to get this to work by using the trySilentLogin method that comes with cordova-plugin-googleplus.

d512
  • 32,267
  • 28
  • 81
  • 107
  • so we need to use the `trySilentLogin` function each time we need a new `accessToken` (use it after every 60 minutes)? Don't we have to use `serverAuthCode` or is just calling `trySilentLogin` function enough? – Devashish Jul 12 '19 at 15:20