By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Cognito - What to do with the Tokens

0

I have successfully implemented the authentication flow using Cognito. I have used lambda functions to perform the authentication logic. And called the functions (via API Gateway) through my ReactJS application. Below is the process of my application's authentication flow.

The user is created from the Cognito console in AWS. And the user is sent an email with the temporary password.

  1. User comes to the login screen enter the username(email) and temp password.
  2. User is redirected to set a new password view (permanent password).
  3. Once successful user is redirected to the login view.
  4. User enters username(email) and password.
  5. If successful redirected to home view (checking user has logged in has to be implemented in here)

When user login is successful, the application receives the "Access Token", "ID Token", "Refresh Token" tokens. My question is what should I do with them.

  1. Should I validate the user every x amount of time with the refresh token (like send an automated request every x amount of time)?
  2. If the refresh token is not valid (expired) should I automatically sign out the user?
  3. What happen when the "Access Token" and "ID Token" is not valid, what should I do then?
  4. If user sign out from the application, should I invalidate all 3 tokens?
  5. If the user is inactive in the application (after y amount of time), should I automatically sign out the user from the application as well as from the Cognito?
  6. What can I do with the "ExpiresIn" attributes that comes in the response?

I am bit unsure of what do next once those tokens are obtained. As I am new to this area, I am still trying to capture the concepts. Your explanation is much appreciated.

Topics
Security, Identity, & Compliance
Tags
AWS Identity and Access ManagementAmazon CognitoAmazon Cognito User Pools
Language
English
champer
asked 9 months ago425 views
1 Answer
0
Accepted Answer

Hi.

The tokens you get is standard Oauth2 tokens.

The ID Token is proof that the user has been authenticated and contains information about the user, this token can be used by the client.
The Access Token allows the client to access resources such as an API, on behalf of the user.
The Refresh Token is used by the client to get a new Access Token without having the user to input password again.

Short, you send the Access Token to your API that validate the token and make a decision on allow/deny. For Example AWS API Gateway HTTP API comes with built in authoriser for JWT (Ouath2), which simplifies this. You use the Refresh Token when your client detects that a Access Token is no longer valid, you can do this in different ways, checking the valid timestamp or rely on the backend to tell you the token has expired.

I would recommend reading documentation around Oauth2 to get all the details and better understanding.

Hope it helps!

profile picture
EXPERT
JimmyDqv
answered 9 months ago
  • champer
    8 months ago

    Thanks so much for your clarification Jimmy.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content