Reputation: 88197
Why do Cognito tokens expire so quickly (15 mins) when used with federated identities
I want to use Cognito & Google login for my applications. I think the way to use that is federated identities?
I think I need to use GetId and GetOpenIdToken to get a Cognito token for my Google user? This works but
The OpenId token is valid for 15 minutes.
Why is this token expiry so short? Is it meant for such a use case - a normal REST API? I intend to use it with API Gateway.
UPDATE
I found http://serverless-stack.com/chapters/cognito-user-pool-vs-identity-pool.html to provide a useful explaination of Federated Identity vs User Pools. Its not the same thing like I thought.
- User Pool: handles authentication, forgot password etc
- Federated Identity: Gives access to users from user pool, social logins access to AWS resources
Upvotes: 1
Views: 1184
Answers (1)
Reputation: 5775
It's short lived because it's primarily intended to be passed back to get AWS credentials. If you're using the '3 hop', old flow, it's the response from GetOpenIdToken and given to AssumeRoleWithWebIdentity.
The recommended flow is to use the 'enhanced flow', which takes that out of the equation. The API GetCredentialsForIdentity gets the token and gets credentials in one API, never giving the token back. You can integrate with APIGW this way, via the credentials themselves.
Upvotes: 1
Related Questions
- aws cognito invalidate token on logout
- How to handle with token expiration on Cognito
- Why my idToken expires in 1 day if in AWS Cognito I configured for 5 minutes?
- AWS Cognito - How to keep idToken alive forever?
- How do AWS Cognito Authentication tokens refresh
- Amazon cognito not giving refresh token provided by federated identity provider (Google login)
- Cognito Refresh Token Expires prematurely
- Aws Cognito no refresh token after login
- AWS Cognito Token Expiring After 1 Hour
- AWS Cognito does not authenticate using Federated Identity