396147 (1) [Avatar] Offline
#1
Regarding: WARNING The AWS credentials returned by Amazon Cognito are temporary and expire after some time. You need to manage credential rotation—for example using the JavaScript setInterval() method to periodically call Amazon Cognito to refresh the credentials.

Is the setInterval() considered best practice for refreshing a user's token? Or would there be a separate workflow for attempting to make a request to the API with an expired token (and failing/401 because of the expired token), getting a new token, then re-requesting on the API with a now-valid token. Usually this would be accomplished with a refresh token. Wouldn't you have to store the login/password somewhere on the client?
Danilo Poccia (11) [Avatar] Offline
#2
You are right, refreshing the credentials requires you to have a valid token from the authentication provider (for example Facebook, Twitter, the Sample Authentication Service in the book, or the new Cognito User Pools).

Depending on the provider, you should eventually refresh the token and use the new one when requesting credentials from Amazon Cognito.

Most of the providers have their own client-side library that is managing a local cache (for example, using JavaScript localStorage). You can leverage that before refreshing credentials.

In the case of Amazon Cognito, AWS released a JavaScript module to make it easier to manage User Pools on the client: https://github.com/aws/amazon-cognito-identity-js