Menu
i'm new to cognito. i'm using user pools and call userPool.getCurrentUser() to get the current user and then getSession() to get the idToken, accessToken and refreshToken - as i understand it these are stored automatatically in the local storage by cognito (as confirmed by being able to access these tokens even if there is no internet connection).
i'd appreciate some clarification with the following 3 questions:
question 1) i presume these tokens were stored by cognito when the user last was authenticated (so they will expire as per their defaults)?
question 2) the documentation states: "We strongly recommended that you secure all three tokens in transit and storage in the context of your application." - why should we store them when cognito is already storing them locally?
question 3) if cognito is storing the tokens locally, do we have to do anything to ensure that they are stored securely?
555
1) Yes, they were stored by Cognito when the last user authenticated and yes, they will expire based on the defaults or by configuration for the refresh token.
2) It's just that if someone gets your valid access token they have access to your account. So I would assume it's just a security recommendation on how to handle the tokens.
3) You now have the option to pass your own storage to the Cognito objects depending on your application's needs so you don't need to use local storage at all.
176
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
