Aws-sdk-js: add option to cache cognito identity session credentials in local storage

To clarify, I'm using it with the amazon-cognito-identity-js where the session tokens are being cached.

Hi @borisirota
Thanks for your question. To clarify, is this a question/request for the amazon-cognito-identity-js SDK, or for the AWS SDK? If the amazon-cognito-identity-js SDK is already caching the session credentials in local storage, could you clarify why the AWS-SDK would also need to repeat those actions? Thanks.

Hi @LiuJoyceC thanks for your quick reply.

Basically this is a request for the aws-sdk :)

We are talking about 2 different tokens and both needed.

The amazon-cognito-identity-js is used as a 3rd party identity provider so once the user is authenticated with such a service, he should pass the identity provider token to the CognitoIdentityCredentials so the getCredentialsForIdentity call will get access token to the AWS services.

The thing is that the token received from the getCredentialsForIdentity is valid for one hour but stored in memory only, so every page refresh within the validity period of the token requires a new call to the aws servers in order to get new access token (even though the old one could be used if it was cached and a network call could be avoided).
This is a drawback in the user experience in use cases where the authentication is client side only (e.g. static site) and every reload requires network calls which can be avoided if a cache was used. There is no issue when using this sdk on server side so my request is for client side only (Local Storage)

The login flow I'm using is client side :

1. login to 3rd party identity provider (facebook, google, cognito user pool, etc.) - this sdks (at least the amazon-cognito-identity-js) caches the tokens and makes a network call only if the token is invalid.
2. use the token from step 1 and pass it to CognitoIdentityCredentials in order to get token to access aws services - no cache and network call always happens.

If there was cache in both steps there was no need for network calls for logged in users within the validity period of the tokens and this could improve the user experience.

Thanks

I'm having a similar issue. Is there a reasonable workaround in the meantime? Can we easily cache the AWS credentials in local storage and, upon reload, check if they are still valid, and reuse them if so without the additional network call?

I think if this were to be added to the SDK, credentials would need to be stored in session storage rather than local storage due to the sensitive nature of AWS credentials.

@lrettig I'm not sure there's a reasonable workaround. You could manually save the accessKeyId, secretAccessKey, sessionToken, and expireTime properties from an instance of AWS.CognitoIdentityCredentials in an object in session storage, but I would need to do more research on how session storage is implemented in the browsers the SDK supports before I could say if it's a recommendable to store credentials.

Here are some more helpful threads I turned up while researching this:

• http://stackoverflow.com/questions/32612530/how-to-persist-cognito-identity-across-pages-in-browser
• http://serverlessarchitecture.com/2016/12/06/persist-aws-cognito-credentials-between-browser-page-loads-to-be-used-with-aws-apigateway/
• https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage
• https://forums.aws.amazon.com/thread.jspa?threadID=179420

I suppose this is not an issue for an SPA, unless/until the user hits reload or back or something. Another option may be to store the creds using a query string so they persist (ex.: http://stackoverflow.com/a/38986143/2397068).

Thanks :)

Closing the issue since the feature was implemented.

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs and link to relevant comments in this thread.