Manually set refresh token

[tschoffelen]

Which Category is your question related to?

Auth

What AWS Services are you utilizing?

Cognito

Provide additional details e.g. code snippets

We're building a custom authentication flow where the user will get a refresh token (generated from a Cognito user pool) externally from Amplify. What is the
easiest way of passing that refresh token into Amplify?

I was hoping to find something like Auth.setRefreshToken(), so that we could then use functions like Auth.currentUser() out of the box, but I can't find something like that in the docs.

Am I missing something?

[manueliglesias]

Hi @tschoffelen

This is currently not supported, but one thing you can try is to look into localStorage for the key where it is stored:

amplify-js/packages/amazon-cognito-identity-js/src/CognitoUser.js

Lines 1323 to 1328 in 16b6695

	const keyPrefix = `CognitoIdentityServiceProvider.${this.pool.getClientId()}.${
	this.username
	}`;
	const idTokenKey = `${keyPrefix}.idToken`;
	const accessTokenKey = `${keyPrefix}.accessToken`;
	const refreshTokenKey = `${keyPrefix}.refreshToken`;

[tschoffelen]

Okay, that's a shame. Is this not a use case that you expect to come across more often?

[cardinalm7]

Our team is having similar issues. We would like to be able to ingest a refresh token between apps for an SSO solution. Here is a reference to our Amazon support ticket:

Case ID 7031693371
https://console.aws.amazon.com/support/home#/case/?displayId=7031693371&language=en

Summary of problem:

We have multiple apps under ellen umbrella on which we want to implement SSO flow using Cognito User Pool (federation enabled for Facebook, Google etc), but we would not want to use the Cognito hosted UI since we have a few custom flows to complete the authentication for the user before she enters their credentials and after the authentication is completed. We want to spin up our own standalone app (preferably using amplify) which would handle the authentication using CUP and finally redirect the Cognito tokens to the calling app.

We were wondering if there is an option to be able to control the callback url without using the Cognito hosted UI.

Applications that require authentication:
Application A: www.ellentube.com
Application B: www.anotherellenapp.com

Application that handles authentication:
Application C: auth.ellentube.com

Flow:
Step 1: User starts at one of our applications and clicks a sign-in link
A Or B --> C
Step 2: User authenticates at C and is redirected back to A/B with authentication tokens
C --> A Or B (depending the source requesting the authentication)

Code on application C: Auth.signIn(username, password);
This method will sign in a user on C but doesn’t redirect to A/B or D with tokens.

We are having trouble at Step 2. We are currently unable to leverage OAuth callbacks from our authentication app without navigating to Cognito hosted UI.

We had a call with Amazon support and were instructed to pass the refresh token between our applications, but it is not sufficient to log a user in without the id Token and the access token.

[mbsimonovic]

@cardinalm7 how did you solve this? I've got the same requirement

[cardinalm7]

Hey @mbsimonovic
We ended up creating a backend API which exchanges tokens for an authorization_code saved to a Redis cluster, and used PKCE and state to secure the exchange to mirror the oauth2 spec, essentially using our app as a token broker.

There are other solutions that could have worked... Amplify uses 4 local storage keys to create its session, refresh token, id token, device key, and I can't remember the other key... easy to discover by removing the keys and seeing if Amplify can authenticate.

If you can transfer these values from one app to the other (perhaps with a query param or a custom API), then you can transfer the session. I recommend using the most secure version of the solution if you are passing tokens around.

Some helpful tips that I wish someone explained to me at the beginning of my oauth journey:

Auth.currentSession will refresh the user's id and access token ONCE their tokens expire.
After working with Amplify, I think it's not worth the headache it caused... if you go the amazon Cognito route, you will have more control overall.

I hope this was helpful!
Michael

[elorzafe]

@tschoffelen @mbsimonovic @cardinalm7

I will mark this issues as a feature request,

Thanks for all the feedback

[github-actions]

This issue has been automatically locked since there hasn't been any recent activity after it was closed. Please open a new issue for related bugs.

Looking for a help forum? We recommend joining the Amplify Community Discord server *-help channels or Discussions for those types of questions.