-
Notifications
You must be signed in to change notification settings - Fork 231
Redirect to login screen when refresh_token expires #118
Comments
@mymattcarroll did you get anywhere with this? I just got a same problem with users being hit with |
@kocur4d The only thing I could do was to check for the |
Possible duplicate of #183 |
There is a small problem with this approach, maybe it is not common so it is not really a problem. I found a bit better solution last night, I think. The access token when decoded have field What I can do is to add a small function on the page load and check if that time is longer then lets say 20 days and log user off and redirect to login page if it is. That would provide a bit better experience because it would only force relogin on a page refresh. What do you think? |
Our application is an SPA, so we cannot rely on page refreshes. However, checking |
I would some some clarification on what should be happening in the SDK when a
refresh_token
has expired. I'm currently only testing this on my local machine but we have successfully implemented requesting and using arefresh_token
to refreshid_token
s andaccess_token
s when theaccess_token
expires.We are currently experiencing some strange behaviour when the
refresh_token
expires. We have it set to only 1 day in the Cognito Console for development purposes and testing. When calling thegetSession()
function, the SDK gets to themakePOSTRequest()
function which makes a request to the following:As mentioned above this request is always successful when the
refresh_token
has not expired yet. However, when it has expired the response status code is400
and the payload is as follows:This results in the
userhandler.onFailure()
function being calling with that response passed as the only argument (and not as an object but as a string).Is this the desired behaviour? I can see in the
onSuccessRefreshToken()
function (that only gets called if the response status code is200
), there is a check for anerror
property in the response payload and if it exists, the SDK redirects to the hosted login screen. Should the SDK being catching400
response status codes and also redirecting to the hosted login page? It seems a bit unreasonable to have to handle expiredrefresh_token
s manually.If developers have to handle expired
refresh_token
s themselves, could the SDK be updated (happy submit a pull request if required) to call theuserhandler.onFailure()
function with anError
object instead of a string.The text was updated successfully, but these errors were encountered: