Comments (7)
Might make a parameter out of that 10 min thing, instead of hardcoding it like this.
from cloudfront-authorization-at-edge.
I'm also working with the AWS Support crew on this -- after reiterating how auth@edge works, their engineer suggested:
Hopefully this helps clear the doubts of the occurrence you are seeing. It also confirms what you said that because of the session duration of the cookies generated by the Lambda@Edge function, the access token duration you set in Cognito is basically not taking effect even though Cognito is actually retiring the token.
If I understand that right, there might be two issues, not just one.
- The original issue ... a problem in the 1.2.1 version of a@e (unknown for 1.3 at this time) that prevents it from dealing with a cognito that is custom-configured for a timeout.
- Another different but related issue suggested by the quote above ... that the cookie generated by a@e does not yet respect the possibly reduced (or extended) values in Cognito client
I wonder how many of these issues will be less of an issue with the 1.3 version of a@e, possibly if we bring the cognito user pool out of the framework and into the calling cloudformation. Ideas welcome and I'll start to look at that once time permits.
from cloudfront-authorization-at-edge.
5 mins timeout for the tokens, that is not gonna work with this solution, because auth@edge is currently coded to refresh tokens when they would expire in the next 10 mins. This is to prevent the tokens from becoming expired, instead of waiting for that to happen first.
cloudfront-authorization-at-edge/src/lambda-edge/check-auth/index.ts
Lines 30 to 32 in 97788d8
So then you'd get into a loop situation, where tokens would be refreshed always. This might lead to unexpected errors, as the one you're seeing.
Do you really need 5 mins? What is the idea there?
from cloudfront-authorization-at-edge.
Sure. It's less of a problem than it looks. The idea was that in testing refresh scenarios it's important to get a short turn-around time. Anything better than an hour is ... better than an hour! So 12 minutes would do nearly as well as 5. And a parameter wouldn't hurt.
from cloudfront-authorization-at-edge.
I experienced the infinite loop as well after switching id tokens and access tokens to 5 minutes during testing. I would also expect the hardcoded 10 min to be configurable (all the way down to 1 min, because I feel lucky with worldwide, cross-region clock synchronization :) ).
from cloudfront-authorization-at-edge.
I would also expect the hardcoded 10 min to be configurable (all the way down to 1 min)
Do send a PR for it if you'd like to get hands dirty.
from cloudfront-authorization-at-edge.
In #184 it was implemented that "Refreshing of tokens is no longer performed ahead of time, but rather now "lazily" when needed."
This works better with short JWT expiration.
from cloudfront-authorization-at-edge.
Related Issues (20)
- CloudFormation did not receive a response from your Custom Resource HOT 19
- Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”) HOT 2
- Refresh issue after token expires HOT 8
- On signout Required String parameter 'redirect_uri' is not present HOT 5
- Possible Open Redirect (CWE-601) in sample code HOT 2
- nonce cookies are not expired HOT 1
- [Feature request] Support multiple Cognito user pool clients HOT 4
- custom domain is not redirecting to cognito hosted ui HOT 1
- Getting blocked by CORS policy but unable to figure out the source HOT 5
- Node version bump HOT 7
- Custom IDP with Amplify and Auth at Edge HOT 9
- Fail on delete of the stack HOT 3
- Function must be in an Active state error on deploying the solution HOT 7
- Errors from Lambda when destroiyng the stack HOT 2
- Cognito TAGS HOT 1
- How Do I add User Pool attributes to Cookies? HOT 1
- A potential risk in cloudfront-authorization-at-edge which can be used to upload malicious code. HOT 4
- Having the ability to tune logs HOT 1
- Deployment to eu-west-2 fails with error: Encountered a permissions error performing a tagging operation HOT 4
- Missing User-Agent header in Post request to cognito HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cloudfront-authorization-at-edge.