Token auto-refresh support

[archenroot]

I look for a mechanism which will auto-refresh tokens, we have only 1 hour session timeout and it's a very poor experience.

I see 2 solutions:

1. create some daemon that will monitor a session token expiry
2. implement in my script some bash function that detects messages like: An error occurred (ExpiredToken) when calling the PutObject operation: The provided token has expired.

The problem with the second is that it's already after the token expired, so it's too late. Is there anything like a refresh token in AWS, so when I detect the token is going to expiry in let's say 10 seconds (or any interval) I will use the refresh token to get a new one?

If no refresh mechanism is available, can I enforce login even before current token expiry?

Thank you very much.

Ladislav

[archenroot]

I have found on stackoverflow some related stuff(https://stackoverflow.com/questions/49316650/aws-sts-token-refresh-with-existing-token-received-from-assumerolewithsaml):

Your question is one I was working on solving myself, we have a WPF Desktop Application that is attempting to log into AWS through Okta, then use the AssumeRoleWithSaml API to get the STS Token.

Using this flow invoked the Role Chaining rules and thus our token would expire every hour.

What I did to overcome this is to cache the initial SAMLResponse Data from Okta (after the user does MFA) and use that information to ask for a new Token every 55 minutes. I then use that new token for any future AWS resource calls.

Once 12 hours passes, I ask the user to authenticate with Okta again.

For those wondering about implementation for their own WPF apps, we use the AWS Account Federation App in Okta.

The application uses 2 packages:

Okta .NET Authentication SDK AWS SDK for .NET After setting up your AWS Account Federation App in Okta, use the AWS Embed Url and SAML Redirect Url in your application to get your SAMLResponse data.

Is this working solution to cache response and then refresh only after 12 hours?