amplify-swift icon indicating copy to clipboard operation
amplify-swift copied to clipboard

Published 20 hours ago verified publisher icon aws-amplify

Proactively refresh tokens

Open philip-zhang opened this issue 3 years ago • 6 comments

I'm using Amplify 1.8.1 for user authentication, and including access token and ID token in subsequent request headers for authorization, and it works just fine for the most part

But when there are some user info updates need be done, the backend calls AdminUpdateUserAttributes method, which would update user info as well as ID token.

So now ID token in backend changes, but from iOS client perspective, its session could still be valid, and will provide me the cached tokens. Therefore, all subsequent requests to backend will fail with HTTP code 403, until the cached tokens in iOS client expire and get refreshed.

It would be great if I can initiate the token refresh process on demand from client side. (Or are there any alternative approaches to avoid getting stuck when backend udpates user attributes?) Any help would be much appreciated!

philip-zhang avatar Apr 23 '21 03:04 philip-zhang

Hi, @philip-zhang

I wonder what's your use case with AdminUpdateUserAttributes

With normal updateUserAttribute, this is not be an issue.

For your use case, is user re-authentication going to work? Re-authenticate means sign out and sign in the user again.

ruiguoamz avatar May 03 '21 22:05 ruiguoamz

Proactively refreshing token is not currently supported in Auth category. We will take this as a feature request and update here when we have more info.

royjit avatar May 18 '21 15:05 royjit

I wonder what's your use case with AdminUpdateUserAttributes

Hi @ruiguoamz, thanks for responding! Using AdminUpdateUserAttributes is a decision made by our backend team. I believe the main reason is to prevent those attributes from being maliciously/accidentally updated by anyone without the right authority.

philip-zhang avatar May 19 '21 09:05 philip-zhang

Proactively refreshing token is not currently supported in Auth category.

Hi @royjit, thanks for responding! Actually I believe I've found a solution -- or at least a workaround -- for refreshing tokens from client side. In AWSCognitoIdentityProvider pod , AWSCognitoIdentityUser.h, there is this method image

It suits my use case, and as I tested, it works perfectly. To refresh token, I just need to call clearSession before fetching session:

//Clear session to trigger force refresh if indicated
if amplifyNeedsTokenRefresh {
    amplifyNeedsTokenRefresh = false
    AWSCognitoIdentityUserPool.default().currentUser()?.clearSession()
}
//Then call `fetchAuthSession`
...

Do you think it's a proper solution? Please let me know!

philip-zhang avatar May 19 '21 09:05 philip-zhang

This issue is stale because it has been open for 14 days with no activity. Please, provide an update or it will be automatically closed in 7 days.

github-actions[bot] avatar Jun 19 '21 00:06 github-actions[bot]

PR - https://github.com/aws-amplify/amplify-ios/pull/2141

royjit avatar Sep 21 '22 19:09 royjit

Force refresh of token is now available in v2.0.0

royjit avatar Oct 20 '22 02:10 royjit