在Android中处理AWS User Pool + Fedration Identity令牌刷新系统

Question

Here is question which might be asked several times before but I am struggling to frame a query.

So aws cognito works as you have to pass the IDToken + authentication provider to cognito identity federation and it provides the temporary credentials valid for an hour. So what happens after an hour is, I get Authentication Exception.

Now I observed CognitoCachingCredentialProvider tries to refresh before performing given task let's say execute lambda or make dynamodb query. But what is a good way to handle expiry, intercept refresh, fetch token first and set it to credentialprovider and then continue refresh.

May it be UserPool IDToken or Google's IDToken, all I need to know is how to know if credentials are expired and I need to fetch the new IDTokens from providers and refresh credentials before processing the request.

I have tried hourly task (55 minutes actually) but sometimes it won't work and not very reliable so far.

Thanks

Answer 1

It's a bit tricky to get just right, but there's two common ways to handle it.

One is to do what you suggested - track when the token was vended, and then refresh if it's within some threshold of expiring (eg refresh if it's < 5 minutes from expiry).

The other is to blindly try to refresh, then catch the exception that gets thrown when a token is expired and refres/retry there. If you go this route, be careful to only retry once there so you don't spam the service if the request isn't just right.