github-cognito-openid-wrapper
github-cognito-openid-wrapper copied to clipboard
TimothyJones
Add support for refresh tokens
Nice work! Whats the challenge with implementing the refresh token? I'm assuming Github provides this and its just a need to intercept the request and proxy? If there are no technical challenges you are aware of I will have a stab!?
Apologies, somehow I missed this issue when you opened it.
I'm not certain whether Cognito uses refresh tokens with OpenID federation, so some investigation may be required. I don't believe it's mentioned in the documentation for the flow - Cognito generates its own refresh tokens (which are mentioned), but it's not clear whether refresh tokens are used with OIDC federation.
However, there are no technical challenges that I am currently aware of, and a PR to add this would be most welcome!
Now that I think about this, one issue may be that GitHub doesn't issue refresh tokens (as far as I remember).
If this is the case, the feature would still be useful if people are using this wrapper for other OAuth services - I've thought about making that part more general.
Further to this, it looks like github now supports refresh tokens, but only through their beta program (at the moment). I'm not sure if you'd want to rely on this in production, since "features in the public beta are subject to change":
https://docs.github.com/en/free-pro-team@latest/developers/apps/refreshing-user-to-server-access-tokens
Anyway, it would be possible to extend the github connector to request and return refresh tokens, but I'm still unclear on whether Cognito would use them.
@TimothyJones The Link you last shared has provision to call for new access token using the refresh token. But, the link is for github apps and not Oauth app. Also I am not sure if i receive any refresh token from the github's side. Access Tokens has some expiry period right? Can you please help me with this?
