-
Notifications
You must be signed in to change notification settings - Fork 156
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feature request] Handle custom JWT expiration setting (eg 5 minutes) #81
Comments
I'm also working with the AWS Support crew on this -- after reiterating how auth@edge works, their engineer suggested:
If I understand that right, there might be two issues, not just one.
I wonder how many of these issues will be less of an issue with the 1.3 version of a@e, possibly if we bring the cognito user pool out of the framework and into the calling cloudformation. Ideas welcome and I'll start to look at that once time permits. |
5 mins timeout for the tokens, that is not gonna work with this solution, because auth@edge is currently coded to refresh tokens when they would expire in the next 10 mins. This is to prevent the tokens from becoming expired, instead of waiting for that to happen first. cloudfront-authorization-at-edge/src/lambda-edge/check-auth/index.ts Lines 30 to 32 in 97788d8
So then you'd get into a loop situation, where tokens would be refreshed always. This might lead to unexpected errors, as the one you're seeing. Do you really need 5 mins? What is the idea there? |
Might make a parameter out of that 10 min thing, instead of hardcoding it like this. |
Sure. It's less of a problem than it looks. The idea was that in testing refresh scenarios it's important to get a short turn-around time. Anything better than an hour is ... better than an hour! So 12 minutes would do nearly as well as 5. And a parameter wouldn't hurt. |
I experienced the infinite loop as well after switching id tokens and access tokens to 5 minutes during testing. I would also expect the hardcoded 10 min to be configurable (all the way down to 1 min, because I feel lucky with worldwide, cross-region clock synchronization :) ). |
Do send a PR for it if you'd like to get hands dirty. |
In #184 it was implemented that "Refreshing of tokens is no longer performed ahead of time, but rather now "lazily" when needed." This works better with short JWT expiration. |
Using semantic version 1.2.1
Doing some timeout work and believe there might be an issue between auth@edge and the (very) new AWS feature to set a custom value on token expiration, documented here.
We start with a working angular SPA and default values. Verify operation and log out.
Now we change the identity and access tokens to 5 minutes and save:
On relogin we get the cognito email/password challenge, and then:
So that's not encouraging. We reset the timeouts to 60m and can log in fine with the "try again".
We can then reset the cognito to 5m but it's ineffective for testing (does not time out after 5m), probably because the app already has the 60m cookie.
Thoughts?
The text was updated successfully, but these errors were encountered: