By using AWS re:Post, you agree to the Terms of Use

Questions tagged with Amazon Cognito

Sort by most recent
  • 1
  • 12 / page

Browse through the questions and answers listed below or filter and sort to narrow down your results.

Does the AWS SDK for JavaScript V3 handle refresh of expired temporary credentials?

I am developing an application using Amazon Cognito User Pools and Identity Pools. My application uses: * the Cognito Hosted UI and authorization code grant to get an authorization code * a POST request to a standard `oauth2/token` endpoint to exchange the authorization code for an `id_token`, `access_token`, and `refresh_token` * the AWS SDK for JavaScript V3 `fromCognitoIdentityPool` method to exchange an `id_token` for temporary AWS credentials (which are used to allow users to access various AWS services) My question relates to the expiration and refresh of these temporary AWS credentials. The IAM user guide says [here](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html): > You must make sure that you get a new set of credentials before the old ones expire. In some SDKs, you can use a provider that manages the process of refreshing credentials for you; check the documentation for the SDK you're using. I am using the AWS SDK for JavaScript V3. I have searched through these resources without finding any reference to whether or not the SDK handles refreshing of temporary credentials: 1. [The API Reference](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/index.html) 2. [The Developer Guide](https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/welcome.html) 3. [Various code files from the repository](https://github.com/aws/aws-sdk-js-v3) I did find one tangential, ambiguous reference to credential expiration and refreshing on the page ["Using Amazon Cognito Identity to authenticate users"](https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/loading-browser-credentials-cognito.html) in the section named ***Switch to Authenticated User***. I think adding a section to this page about the details of temporary credentials refresh would be extremely helpful to developers. **Does the AWS SDK for JavaScript V3 handle refresh of expired temporary credentials? Where is this described in the documentation for the SDK?** If yes: * Does the SDK handle the exchange of a `refresh_token` for an `id_token` and then exchange of an `id_token` for expired temporary credentials? * Or does the SDK require developers to write application code that exchanges a `refresh_token` for an `id_token`? (Meaning the SDK would just handle exchanging an `id_token` for expired temporary credentials)
0
answers
0
votes
7
views
profile picture
asked 10 hours ago

AWS Game Lift Server: Best Solution for Generating and Rotating API Keys for AWS Server Authentication?

We are currently setting up some authentication systems for our UE4 game servers so that we are sure they are the only devices/users that are capable of accessing our internal API / LAMDBA functions. With that in mind, there is a desire to not hard code any COGNITO user ID's or tokens into the actual server-code itself. Instead, we would like to pursue having these tokens be generated and cycled through on AWS's side, to keep it decoupled. We are undecided whether these tokens should be for the life of the Gamelift server or for a set period of time—whichever is most feasible. This way, if we need to adjust access to certain features down the road, it will not require an update to the deployed Unreal Engine server build. Does AWS API or LAMDBA have any features out of the box to check if an API request is coming from within AWS, ideally from one of the active Gamelift instances? While we may still need to create a COGNITO identity for the servers, or just check the local IP of the running Gamelift servers, the ideal flow would look like: 1) UE4 game server on AWS asks for a token on Startup. 2) LAMDBA Authorization script checks to make sure it is valid and coming from within AWS/Gamelift 3) Once Validated, LAMDBA function provides a token to enable server to use in backend LAMDBA functions. 4) Before Gamelift Server shutdown, revoke access or add to a "black-listed" token Database to prevent second use before token expiration.
1
answers
0
votes
18
views
asked 3 days ago
  • 1
  • 12 / page