Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Amplify calling token endpoint to refresh token even when Implicit grant flow is used #1232

Closed
jiristanglica opened this issue Jul 13, 2018 · 2 comments · Fixed by #1277
Closed

Amplify calling token endpoint to refresh token even when Implicit grant flow is used #1232

jiristanglica opened this issue Jul 13, 2018 · 2 comments · Fixed by #1277
Labels
Auth Related to Auth components/category bug Something isn't working

Comments

@jiristanglica
Copy link

Do you want to request a feature or report a bug?

Bug

What is the current behavior?

  1. Using the implicit grant flow (Amplify configured with Auth.oauth.responseType = 'token'), after redirection from Cognito Hosted UI the idToken and accessToken are correctly populated, refreshToken stays empty - as it is supposed to be:
    image
  2. After one hour, when the tokens expire, the wrong behaviour comes to the scene. Calling Auth.currentSession() will result in fetching the user session (Auth.ts:851 -> CognitoUser.js:1117) which I think contains the bad code. It loads the tokens from the localStorage and performs the validity (expiry) check (CognitoUser.js:1151).
  3. It finds out that the session has expired and checks if the refreshToken == null (CognitoUser.js:1156) in order to use it for the token refresh process. This is the wrong part. As you can see in the picture above, the refreshToken is not null but rather an empty string. This means that the check passes and the refresh token (the empty string) is used in the token endpoint call - and that results in a 400 - Bad Request ({"__type":"InvalidParameterException","message":"Missing required parameter REFRESH_TOKEN"}).

What is the expected behavior?

The check for refreshToken in the CognitoUser.js:1156 file should resolve to false and thus the call to the token endpoint should not be performed.

Which versions of Amplify, and which browser / OS are affected by this issue? Did this work in previous versions?

I'm using latest Chrome (Version 67.0.3396.99 (Official Build) (64-bit)) on Mac and latest Amplify version from npm (0.4.8).
@jordanranz jordanranz added investigating This issue is being investigated Auth Related to Auth components/category labels Jul 13, 2018
@powerful23 powerful23 added bug Something isn't working and removed investigating This issue is being investigated labels Jul 19, 2018
@powerful23
Copy link
Contributor

@Izzy26 thanks for your feedback! We will fix it ASAP.

@powerful23 powerful23 mentioned this issue Jul 19, 2018
Merged
@github-actions
Copy link

This issue has been automatically locked since there hasn't been any recent activity after it was closed. Please open a new issue for related bugs.

Looking for a help forum? We recommend joining the Amplify Community Discord server *-help channels or Discussions for those types of questions.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 13, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Auth Related to Auth components/category bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(@aws-amplify/auth): add try cache for operations of auth storage powerful23/aws-amplify
3 participants
@jordanranz @powerful23 @jiristanglica