Amplify-js: Manually set refresh token
Which Category is your question related to?
Auth
What AWS Services are you utilizing?
Cognito
Provide additional details e.g. code snippets
We're building a custom authentication flow where the user will get a refresh token (generated from a Cognito user pool) externally from Amplify. What is the
easiest way of passing that refresh token into Amplify?
I was hoping to find something like Auth.setRefreshToken(), so that we could then use functions like Auth.currentUser() out of the box, but I can't find something like that in the docs.
Am I missing something?
tschoffelen
All 6 comments
Hi @tschoffelen
This is currently not supported, but one thing you can try is to look into localStorage for the key where it is stored:
manueliglesias
on 27 Mar 2020
Okay, that's a shame. Is this not a use case that you expect to come across more often?
tschoffelen
on 31 Mar 2020
Our team is having similar issues. We would like to be able to ingest a refresh token between apps for an SSO solution. Here is a reference to our Amazon support ticket:
Case ID 7031693371
https://console.aws.amazon.com/support/home#/case/?displayId=7031693371&language=en
Summary of problem:
We have multiple apps under ellen umbrella on which we want to implement SSO flow using Cognito User Pool (federation enabled for Facebook, Google etc), but we would not want to use the Cognito hosted UI since we have a few custom flows to complete the authentication for the user before she enters their credentials and after the authentication is completed. We want to spin up our own standalone app (preferably using amplify) which would handle the authentication using CUP and finally redirect the Cognito tokens to the calling app.
We were wondering if there is an option to be able to control the callback url without using the Cognito hosted UI.
Applications that require authentication:
Application A: www.ellentube.com
Application B: www.anotherellenapp.com
Application that handles authentication:
Application C: auth.ellentube.com
Flow:
Step 1: User starts at one of our applications and clicks a sign-in link
A Or B --> C
Step 2: User authenticates at C and is redirected back to A/B with authentication tokens
C --> A Or B (depending the source requesting the authentication)
Code on application C: Auth.signIn(username, password);
This method will sign in a user on C but doesn鈥檛 redirect to A/B or D with tokens.
We are having trouble at Step 2. We are currently unable to leverage OAuth callbacks from our authentication app without navigating to Cognito hosted UI.
We had a call with Amazon support and were instructed to pass the refresh token between our applications, but it is not sufficient to log a user in without the id Token and the access token.
cardinalm7
on 4 Jun 2020
@cardinalm7 how did you solve this? I've got the same requirement
mbsimonovic
on 23 Sep 2020
Hey @mbsimonovic
We ended up creating a backend API which exchanges tokens for an authorization_code saved to a Redis cluster, and used PKCE and state to secure the exchange to mirror the oauth2 spec, essentially using our app as a token broker.
There are other solutions that could have worked... Amplify uses 4 local storage keys to create its session, refresh token, id token, device key, and I can't remember the other key... easy to discover by removing the keys and seeing if Amplify can authenticate.
If you can transfer these values from one app to the other (perhaps with a query param or a custom API), then you can transfer the session. I recommend using the most secure version of the solution if you are passing tokens around.
Some helpful tips that I wish someone explained to me at the beginning of my oauth journey:
Auth.currentSession will refresh the user's id and access token ONCE their tokens expire.
After working with Amplify, I think it's not worth the headache it caused... if you go the amazon Cognito route, you will have more control overall.
I hope this was helpful!
Michael
cardinalm7
on 25 Sep 2020
@tschoffelen @mbsimonovic @cardinalm7
I will mark this issues as a feature request,
Thanks for all the feedback
elorzafe
on 28 Sep 2020
Related issues
cgarvis
路
3Comments
epicfaace
路
3Comments
josoroma
路
3Comments
lucasmike
路
3Comments
shinnapatthesix
路
3Comments
Most helpful comment
Our team is having similar issues. We would like to be able to ingest a refresh token between apps for an SSO solution. Here is a reference to our Amazon support ticket:
Case ID 7031693371
https://console.aws.amazon.com/support/home#/case/?displayId=7031693371&language=en
Summary of problem:
We have multiple apps under ellen umbrella on which we want to implement SSO flow using Cognito User Pool (federation enabled for Facebook, Google etc), but we would not want to use the Cognito hosted UI since we have a few custom flows to complete the authentication for the user before she enters their credentials and after the authentication is completed. We want to spin up our own standalone app (preferably using amplify) which would handle the authentication using CUP and finally redirect the Cognito tokens to the calling app.
We were wondering if there is an option to be able to control the callback url without using the Cognito hosted UI.
Applications that require authentication:
Application A: www.ellentube.com
Application B: www.anotherellenapp.com
Application that handles authentication:
Application C: auth.ellentube.com
Flow:
Step 1: User starts at one of our applications and clicks a sign-in link
A Or B --> C
Step 2: User authenticates at C and is redirected back to A/B with authentication tokens
C --> A Or B (depending the source requesting the authentication)
Code on application C: Auth.signIn(username, password);
This method will sign in a user on C but doesn鈥檛 redirect to A/B or D with tokens.
We are having trouble at Step 2. We are currently unable to leverage OAuth callbacks from our authentication app without navigating to Cognito hosted UI.
We had a call with Amazon support and were instructed to pass the refresh token between our applications, but it is not sufficient to log a user in without the id Token and the access token.