Aws-sdk-js: Manually expiring a cognito session token

@patrik-piskay
Are you looking to manually refresh CognitoIdentityCredentials? You could call the refresh method directly instead of get. Behind the scenes, get checks if the credentials have expired (based on expiry date) prior to calling refresh, but calling refresh directly bypasses that check.

Hi @chrisradek, no, refreshing is not the problem.

Problem for us is that we need to call get before we do any API Gateway request. And that get request will _sometimes_ fail because the token has expired. In that case the credentials will get renewed in the next request and only after that we can continue with the API Gateway request.

But not being able to set expiry time manually means that if we want to handle this "get request -> request failed -> credentials renewed -> API Gateway call" scenario, we have to wait 1hour to be able to do that.

@patrik-piskay
Ah ok, for CognitoIdentityCredentials, the reason refresh isn't working for your case is due to the way this provider caches the IdentityId.

You can manually clear the cache by calling AWS.config.credentials.clearCachedId(). The provider is doing this internally when it gets a 'NotAuthorizedException' error, which is why the next get works.

Thanks @chrisradek but this doesn't seem to do what we are expecting. We'd like to control (for dev purposes only) when we get 403 Access to Identity XXX is forbidden response from cognito's credentials.get call. Currently we get this only once an hour.

@patrik-piskay
I think I misunderstood before. Do you actually want this error to occur more frequently than it currently does?

Sorry if it wasn't clear but yes, that's exatly it! So it is easier for us handle this scenario (which we already did but testing it in the future will require us to wait 1hour to test it again)

Solution would be to have this expitation time configurable, or am API to invalidate the token.

So, the error you're seeing is coming from a service, it isn't one that the SDK itself generates. The token the service (either CognitoIdentity or STS, depending on the params you used) generates has its own expiration. If you manually overwrite the expireTime for the credentials, that will just cause the provider to pre-emptively refresh the credentials, so that error isn't seen.

If you take a look at the params passed into the CognitoIdentityCredentials constructor, you'll notice that STS.assumeRoleWithWebIdentity is one of the operations the provider calls when you provide a roleArn. If you are doing this, you could provide DurationSeconds, which determines how long the credentials are valid for. I believe the lowest you can specify is 900 seconds, or 15 minutes.

Otherwise, you'd need to find a way to mock the behavior you want. There isn't anything else we can do from the SDK side to cause the service to return this error.

Cheers @chrisradek!

Hi @patrik-piskay ,
can you please share the code, how you specify timeout.

Has there any updates on this from the sdk side? We are currently also looking for a way to handle scenarios where the AWS.credentails expires and to handle it appropriately. For dev purposes it would be super nice to be able to set exprieTime to something around 30 sec

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs and link to relevant comments in this thread.