warrant icon indicating copy to clipboard operation
warrant copied to clipboard

Published 20 hours ago verified publisher icon capless

Checking the access token.

Open skriebel opened this issue 8 years ago • 6 comments
trafficstars

I'm working on a proof of concept with using cognito via warrant as the auth mechanism on a web app. I'm able to auth and logout as expected, but .check_token() is always returning False.

I'm looking for an easy way to verify the token is still valid when checking the session. Any pointers?

skriebel avatar Sep 19 '17 17:09 skriebel

Are you using 0.4.0?

bjinwright avatar Sep 19 '17 18:09 bjinwright

https://github.com/capless/warrant/blob/3d6aa8c84841a1c7183f702ed7b4ad993c1ff37a/warrant/init.py#L255-L258 False returns when a token is not expired and don't need to be renewed. True returns when a token was renewed.

armicron avatar Sep 19 '17 18:09 armicron

@bjinwright oops, pip was installing 0.2.0 by default.. I just updated to 0.4.0 -- same issues.

skriebel avatar Sep 19 '17 18:09 skriebel

@human39 I think @armicron 's answer explains it pretty well. What is your token expiration set to?

bjinwright avatar Sep 19 '17 18:09 bjinwright

Thanks for the reply. Maybe I can illustrate what I'm doing.

This is the test code I'm working with.

from warrant import Cognito
import os
import pprint

os.environ['AWS_DEFAULT_REGION'] = "us-west-2"
os.environ['AWS_ACCESS_KEY_ID'] = "<snip>"
os.environ['AWS_SECRET_ACCESS_KEY'] = "<snip>"

poolid = '<snip>'
clientid = '<snip>'
user =  '<snip>'
passwd = '<snip>'

# login.
u = Cognito(poolid, clientid, username=user)
u.authenticate(password=passwd)
accesstoken =  u.access_token

# Verify that we can get the info.
user = u.get_user()

# reset everything
u = False
# Logout
# reattach
u = Cognito(poolid,clientid, access_token=accesstoken)
u.logout()

# reset everything
u = False

u = Cognito(poolid,clientid,access_token=accesstoken)
user = u.get_user()

After logging out, the 'u.get_user()' fails with a message saying the token is revoked, which is what I expected. Looking to tie this in with a user's web session, I would like to have a method that I could call to see if the token is still valid. I guess I could just run a u.get_user() and then check the exception.. I guess I was hoping there was another way.

Looks like I basically answered my own question, so I guess we can close this but I'm interested in hearing any ideas if anybody has them.

skriebel avatar Sep 19 '17 20:09 skriebel

We are working on something similar here on Issue #12 of the Capless framework. I will let you know what we find.

bjinwright avatar Sep 19 '17 20:09 bjinwright