Amazon cognito basic functionality questions

Question

I am making an app and I have a few questions about Amazon Cognito:

1. I read that when you sign in to Cognito it returns a JWT token consisting of: ID token, access token, and refresh token. My first question is, where do I save these tokens in my app so the user can continue to be logged in and doesn't have to log in ever time? Do I save it in a state or in a cookie etc or somewhere else? I don't understand this.

2. How do I use the JWT to make authenticated api requests?

3. How do I refresh a JWT behind the scenes so a user can stay signed in? This isn't clear to me in the documentation. Once the JWT expires, how does can the user remain logged in without having to sign in every time?

Thanks!

Answer 1

My understanding is as follows. The choice of storage is important because you want to prevent cross-site scripting (XSS) and cross-site request forgery (CSRF). Always use HTTPS, naturally.

1. Store in memory, or in an HttpOnly cookie, or in a session cookie (in descending order of preference), but not in HTML5 web storage
2. Send the JWT in the HTTP Authorization header using the Bearer schema (see below)
3. See JWT refresh token flow

The content of the header looks like:

Authorization: Bearer <token>

A few recommended sites:

• Introduction to JSON Web Tokens
• Where to Store your JWTs – Cookies vs HTML5 Web Storage
• Refresh Tokens: When to Use Them and How They Interact with JWTs
• The Ultimate Guide to handling JWTs on frontend clients