How to automatically refresh Cognito Token in a page

Question

I use AWS Cognito service for authentication. In my Angular 7 app, I use Amplify Auth to guard my pages.

If user navigates between different pages, Amplify will automatically handle the token refresh and they will not see token expirations.

If user stay in one page for long time, then the token will not be refreshed and eventually user will see expired token and will got 403 for web service call.

Any good solution to refresh access/id tokens if user stay in the same page for long time?

score 2 · Answer 1 · answered Oct 22 '20 at 09:56

Probably two ways :

Use Auth.currentSession() to get current valid token or get the new if current has expired. Amplify will handle it
As a fallback, use some interval job to refresh tokens on demand every x minutes, maybe 10 min. This is required when you have a long running process like uploading a very large video which will take more than hour (maybe due to slow network) then your token will expire during the upload and amplify will not update automatically for you. In this case, this strategy will work. Keep updating your tokens on some interval. How to refresh on demand is not mentioned in docs so here it is.

import { Auth } from 'aws-amplify';

try {
  const cognitoUser = await Auth.currentAuthenticatedUser();
  const currentSession = await Auth.currentSession();
  cognitoUser.refreshSession(currentSession.refreshToken, (err, session) => {
    console.log('session', err, session);
    const { idToken, refreshToken, accessToken } = session;
    // do whatever you want to do now :)
  });
} catch (e) {
  console.log('Unable to refresh Token', e);
}

more here : https://github.com/aws-amplify/amplify-js/issues/2560

score 1 · Answer 2 · answered Mar 12 '19 at 12:52

If you call cognitoUser.getSession from the Cognito Javascript SDK, it will force the local tokens to be refreshed if they are no longer valid.

I think you have a few options here:

1) Call cognitoUser.getSession before you make every API call. This is an async call, so make sure you have a result before continuing with the API call. If the tokens are valid this call will be very quick and inexpensive. If you you need new tokens, it might take a second or two for the token to be refreshed.

2) Make the API call, and if you get a 403 response, call getSession, and once you have a result from that, try the API call again. Or if the call is not that important, just refresh the token, set some kind of error counter, and if it fails next time, flag it up to the user at that point.

So far, I only use Auth. Can you provide a complete snippet for this operation? — user2777473, Mar 12 '19 at 15:56

score 0 · Answer 3 · answered Apr 26 '19 at 14:31

In the Amplify authentication documentation: retrieve current session they show how to do it with Auth.currentSession(), this returns a Promise and refreshes the tokens when expired. In the data returned in the Auth.currentSession().then() block you get a CognitoUserSession object with the keys iat and exp under idToken.payload, these can be used to determine when the idToken is about to expire or has expired. You can use these in your auth service to refesh the tokens when needed.

How to automatically refresh Cognito Token in a page

3 Answers3

Linked