Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Manually expiring a cognito session token #1241

Closed
patrik-piskay opened this issue Nov 28, 2016 · 12 comments
Closed

Manually expiring a cognito session token #1241

patrik-piskay opened this issue Nov 28, 2016 · 12 comments
Labels
guidance Question that needs advice or information.

Comments

@patrik-piskay
Copy link

patrik-piskay commented Nov 28, 2016
edited

Is there a way to manually expire a session token used by Cognito so we force Cognito to refresh the token? Expiry date is not configurable and waiting an hour for the token to expire is a lot of time wasted when debugging.

The issue we are having is that for each request through AWS API Gateway we need to get credentials (accessKeyId, secretAccessKey, sessionToken), and after an hour of inactivity this request for credentials (AWS.config.credentials.get) will return an error (Access to Identity XXX is forbidden) and refreshes the credentials in the next request. But the API Gateway call that resulted in Access to Identity XXX is forbidden is never made (because it failed on retrieving the credentials) -> we'd like to implement a logic that would wait for the credentials to be reloaded and then continue with the API Gateway request, but for that we'd need an easy way to invalidate the session token (or to simulate this in other way).

Thanks!
@chrisradek
Copy link
Contributor

@patrik-piskay
Are you looking to manually refresh CognitoIdentityCredentials? You could call the refresh method directly instead of get. Behind the scenes, get checks if the credentials have expired (based on expiry date) prior to calling refresh, but calling refresh directly bypasses that check.

@patrik-piskay
Copy link
Author

Hi @chrisradek, no, refreshing is not the problem.

Problem for us is that we need to call get before we do any API Gateway request. And that get request will sometimes fail because the token has expired. In that case the credentials will get renewed in the next request and only after that we can continue with the API Gateway request.

But not being able to set expiry time manually means that if we want to handle this "get request -> request failed -> credentials renewed -> API Gateway call" scenario, we have to wait 1hour to be able to do that.

@chrisradek
Copy link
Contributor

@patrik-piskay
Ah ok, for CognitoIdentityCredentials, the reason refresh isn't working for your case is due to the way this provider caches the IdentityId.

You can manually clear the cache by calling AWS.config.credentials.clearCachedId(). The provider is doing this internally when it gets a 'NotAuthorizedException' error, which is why the next get works.

@patrik-piskay
Copy link
Author

Thanks @chrisradek but this doesn't seem to do what we are expecting. We'd like to control (for dev purposes only) when we get 403 Access to Identity XXX is forbidden response from cognito's credentials.get call. Currently we get this only once an hour.

@chrisradek
Copy link
Contributor

@patrik-piskay
I think I misunderstood before. Do you actually want this error to occur more frequently than it currently does?

@patrik-piskay
Copy link
Author

Sorry if it wasn't clear but yes, that's exatly it! So it is easier for us handle this scenario (which we already did but testing it in the future will require us to wait 1hour to test it again)

@patrik-piskay
Copy link
Author

Solution would be to have this expitation time configurable, or am API to invalidate the token.

@chrisradek
Copy link
Contributor

So, the error you're seeing is coming from a service, it isn't one that the SDK itself generates. The token the service (either CognitoIdentity or STS, depending on the params you used) generates has its own expiration. If you manually overwrite the expireTime for the credentials, that will just cause the provider to pre-emptively refresh the credentials, so that error isn't seen.

If you take a look at the params passed into the CognitoIdentityCredentials constructor, you'll notice that STS.assumeRoleWithWebIdentity is one of the operations the provider calls when you provide a roleArn. If you are doing this, you could provide DurationSeconds, which determines how long the credentials are valid for. I believe the lowest you can specify is 900 seconds, or 15 minutes.

Otherwise, you'd need to find a way to mock the behavior you want. There isn't anything else we can do from the SDK side to cause the service to return this error.

@patrik-piskay
Copy link
Author

Cheers @chrisradek!

@abdulkhn8
Copy link

Hi @patrik-piskay ,
can you please share the code, how you specify timeout.

@mansdahlstrom1
Copy link

Has there any updates on this from the sdk side? We are currently also looking for a way to handle scenarios where the AWS.credentails expires and to handle it appropriately. For dev purposes it would be super nice to be able to set exprieTime to something around 30 sec

@srchase srchase added guidance Question that needs advice or information. and removed Question labels Jan 4, 2019
@lock
Copy link

lock bot commented Sep 28, 2019

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs and link to relevant comments in this thread.

@lock lock bot locked as resolved and limited conversation to collaborators Sep 28, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
guidance Question that needs advice or information.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@srchase @patrik-piskay @chrisradek @abdulkhn8 @mansdahlstrom1