Aws-sdk-js: Cognito identities are cached per-pool but not per user
AWS.CognitoIdentityCredentials will not fetch a Cognito ID if one is already cached. But since IDs are keyed only on the identity pool ID, only one ID can be cached per-pool. This may cause ID/login token mismatches if an application has multiple users that authenticate using the same browser.
Example
My application, for instance, uses Google as an identity provider. My application runs inside of Gmail, so it is common for users to have multiple instances of the application running at a time鈥攐ne per Gmail account. If the user uploads a file to S3 from their [email protected] account, they will succeed and the ID of joe1 will be cached. But if the user then tries to upload a file to S3 from their [email protected] account, they will fail because the SDK will try to authenticate joe1's identity using joe2's login token.
Fix
To fix this, I suggest that the AWS.CognitoIdentityCredentials cache space be subdivided by means of a new parameter LoginHint provided to the constructor. The value of LoginHint should differ by user; perhaps it could be the user's email address:
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: ...,
Logins: ...,
LoginHint: '[email protected]'
});
That parameter would supplement the cache key like so:
this.storage[this.localStorageKey[key] + this.params.IdentityPoolId + (this.params.LoginHint || '')] = val;
I'm glad to submit a PR if you like this approach.
wearhere
All 7 comments
In the meantime, a workaround is to call clearCachedId before using an AWS service. But because clearCachedId is an instance method and it doesn't clear the instance's information you've got to re-initialize the instance after clearing the cache:
var credentialParams = { IdentityPoolId: ..., Logins: ... };
var credentials = new AWS.CognitoIdentityCredentials(credentialParams);
credentials.clearCachedId();
credentials = new AWS.CognitoIdentityCredentials(credentialParams);
AWS.config.credentials = credentials;
// Now you can use S3 or whatever.
var bucket = new AWS.S3;
Thanks @chrisradek! It looks like this will make it into v2.2.11?
wearhere
on 16 Oct 2015
@wearhere
Yes, this will be available in the next release. Thanks for requesting this feature and for your feedback!
chrisradek
on 16 Oct 2015
I have used the suggestion of @wearhere and it worked.
aaaguirrep
on 16 Apr 2018
@aaaguirrep What suggestion did you use that worked? Was it the LoginHint?
alexjfno1
on 11 Jul 2018
@alexjfno1 LoginId was the new field added to the AWS.CognitoIdentityCredentials definition
gregkowalski
on 21 Nov 2018
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs and link to relevant comments in this thread.
![lock[bot] picture](https://avatars.githubusercontent.com/in/6672?v=4&s=40)
lock[bot]
on 29 Sep 2019
Related issues
pocari
路
3Comments
arogulin
路
3Comments
bhishp
路
4Comments
michaelwittig
路
3Comments
ranode
路
4Comments
Most helpful comment
In the meantime, a workaround is to call
clearCachedIdbefore using an AWS service. But becauseclearCachedIdis an instance method and it doesn't clear the instance's information you've got to re-initialize the instance after clearing the cache: