Access / ID Tokens not getting refreshed

[PritamDutt]

Description

I am using Cognito Auth UserPool for managing users, and have configured AppClient with

• ID Token Expiration of 5 minutes
• Access Token Expiration of 5 minutes
• Refresh Token Expiration of 30 minutes.

I have API Gateway set to use Cognito Authorizer pool, and I am further using Amplify.API to make REST api calls.

with above scenario I am getting SessionExpiredException for any call executed after a gap of 5 minutes, which means that my access/id tokens are not getting refreshed on their own.

I have tried making fetchAuthSession call before the API call, but that also is not being of any help.

SessionExpiredException {
"message": "The tokens could not be refreshed",
"recoverySuggestion": "Invoke Amplify.Auth.signIn

Categories

• Analytics
• API (REST)
• API (GraphQL)
• Auth
• Authenticator
• DataStore
• Notifications (Push)
• Storage

Steps to Reproduce

No response

Screenshots

No response

Platforms

• iOS
• Android
• Web
• macOS
• Windows
• Linux

Flutter Version

3.10.2

Amplify Flutter Version

1.1.1

Deployment Method

Amplify CLI

Schema

No response

[PritamDutt]

On debugging I have learnt that the issue lies in the fact that DeviceKeys are not getting stored when using Cognito HostedUI to sign

[fjnoyp]

Hi @PritamDutt apologies you're dealing with this issue. Can you clarify how you configured the app client to have the expiration times you mentioned above? How did you determine that DeviceKeys were not being stored?

[PritamDutt]

Hi @fjnoyp,

1. AppClient Token Times have been configured using AWS Cognito Console

2. See the code below where DEVICE_KEY Auth Parameter is conditionally sent for REFRESH_TOKEN_AUTH
   

   amplify-flutter/packages/auth/amplify_auth_cognito_dart/lib/src/state/machines/fetch_auth_session_state_machine.dart

   Lines 535 to 538 in 19834be

   	final deviceKey = deviceSecrets?.deviceKey;
   	if (deviceKey != null) {
   	b.authParameters[CognitoConstants.challengeParamDeviceKey] = deviceKey;
   	}

3. The Device Key is only saved in case of in-app sign-in

amplify-flutter/packages/auth/amplify_auth_cognito_dart/lib/src/state/machines/sign_in_state_machine.dart

Lines 706 to 709 in 19834be

	await getOrCreate<DeviceMetadataRepository>().put(
	_user.username!,
	_user.deviceSecrets!.build(),
	);

[fjnoyp]

Hi @PritamDutt thank you for your detailed followup.

I am unable to reproduce, this is what I did:

1. Created an app with Google social provider login using the amplify cli
2. Set access/id token refresh to 5 minutes in AWS Cognito
3. Used the auth/example app with Authenticator to login using Google social provider.
4. Waited 5 minutes
5. Called fetchAuthSession and observed new tokens.

Furthermore, while deviceId isn't saved in the hostedUI sign in/up flow, I validated internally that shouldn't be an issue.

The main issue you have seems to be that your refreshToken is not working, and isn't allowing you to get proper access/id tokens.

Can you please share which social provider service you are using and how you set it up?

Can you try setting up with Google as a provider to see if you have the same error again.

[PritamDutt]

There is a variation in my use case,

1. I am not using Amplify Authenticator at all.

I am using Amplify.Auth.signInWithWebUI(provider: AuthProvider.cognito) for authentication.

2. You have not enabled Device Tracking

3. MFA is not enabled

With above configuration, keep an eye for REFRESH_AUTH_TOKEN IDP calls
I hope you are able to re-produce error with this configuration.

[fjnoyp]

Hi @PritamDutt thanks for sharing this information. The fact that you're using MFA is key, as we are currently working to support TOTP MFA within the Amplify Flutter library here:

#3146

I'll check internally later today to confirm if this would fix your issue. As mentioned in the pull request itself, it's a high priority for us though we have no firm timelines for a release.

[PritamDutt]

May be not @fjnoyp, as I see no change in hosted ui flow there.. all the changes appear to being done in native SignIn flow..

But I may be wrong 😉

[dnys1]

Hi @PritamDutt, I wasn't able to reproduce this either using the same settings as your backend.

Would you be able to share some more code around the Amplify methods you're using after logging in?

You mention that you suspect the reason for this is the lack of inclusion of a device key when refreshing the token. However, it is expected that when using Hosted UI no device key is present.

Can you confirm this happens on the very first refresh attempt after signing in and that the refresh token itself is not expired?

[PritamDutt]

Hi @dnys1,

I can confirm that it happens on the first refresh attempt.

Regarding code, let me see what I can share.. would curl of generated HTTP request and its response help?

[dnys1]

Yes, that would help, thanks

[dnys1]

Hi @PritamDutt are you still experiencing this issue? Unfortunately, I could not reproduce it and will need your assistance to continue investigating. Please let me know- I'll be closing this issue in 7 days if I don't hear from you.

[dnys1]

Closing as we haven't heard back. Please feel free to create a new issue if you continue to experience this problem.