-
Notifications
You must be signed in to change notification settings - Fork 153
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Refresh issue after token expires #198
Comments
Hi @bedaka Those cookie settings you pasted look good (the vanilla values, should work). Is the app client allowed to refresh tokens? (Does it allow ALLOW_REFRESH_TOKEN_AUTH) 400 I've see reported here before had to do with some conflicting set up in Cognito. Such as:
See this search: https://github.com/aws-samples/cloudfront-authorization-at-edge/issues?q=is%3Aissue+400 Looking at the code again, I see there's not much logging to help you in this case:
It would be great to add e.g. If you're deploying using SAM CLI, you can add that logging yourself in the code and redeploy (increase the value for parameter VERSION then, to ensure CloudFormation really redeploys the Lambda functions) |
It would be helpful to know:
|
Thanks for your reply. To answer your follow up questions:
this is the header of my request and the decoded JWTs in case this is of interest: amplitude_id_5b66b1a209cXXXXX_our_domain.com=XXXX;
I'll try to add the advanced logging as you recommended and see if it generated new insights. |
The advanced logging as you suggested provided this message:
|
Thanks for the extra info. Also, you mentioned the signin button does not work. Do you have more info on that? |
Yes sorry I forgot to mention that ALLOW_REFRESH_TOKEN_AUTH is set to true. But actually I might have figured out the issue. The "Sign in" Button redirects to Unrelated to that I wonder why the refreshAuth lambda does not realize that my token is expired but instead tries to query cognito. The "invalid_grant" error seems to be a reasonable reponse in case the refresh token is expired but woudn't the correct response be to clear the client cookies so that it can log in again instead of throwing an error? |
Ahh so the token was expired. Great that you found the reason and know now why the button didn’t work. You can’t tell if a refresh token is expired or not, the only way is to try to use it. (It’s an encrypted JWT that only Cognito can decrypt) Since the “invalid grant” is an error that can happen in other cases as well, you don’t know it refresh token expired is the reason for it. But it would probably be good to add to the error message a text like “this is likely because your refresh token is expired. Please sign-in again” |
Fixing the Behavior rules name did work. Thank you very much for your support 🙏🏽 |
We're using 2.1.1 with our own CloudFront Distribution. Similar to this issue once the refresh token is expired users are stuck with this "Refresh issue" page:
The
SignOutSign in Button does not work and the only way to resolve this is to delete the cookies manually.Different to the linked issue I do not observe the "request loop" that is mentioned there which leads me to believe this might be a different problem.
With log level DEBUG on the RefreshHandler I noticed that the HTTP POST request towards
https://our-address.auth.eu-central-1.amazoncognito.com/oauth2/token
fails with 400. Unfortunately there are no more details in the log. After 5 retries the Handler redirects to the error page.If
https://our-address.service.prisma-capacity.cloud/signout
is called directly we get redirected to /refreshauth and are stuck again.This is our cookie related configuration:
The text was updated successfully, but these errors were encountered: