1

I have a requirement to be able to specify session timeouts on a per user basis. (So that it may be a different value for each user) It seems natural to use the 'exp' property on the access token to accomplish this, (as that it's purpose in the oauth spec), but cognito seems to ignore updates to this in the preTokenGeneration trigger. Is there a way to update this on a per user basis? Or do I really need to define some custom attribute that will be checked on the Id token?

tofarr
  • 7,682
  • 5
  • 22
  • 30

1 Answers1

1

Great question. I'm sure you know that since August 2020 Cognito allows you to configure access token expiry time from 5 mins to 1 day. The configuration is per app client. If you were able to split your users across app clients that could be an option (e.g. admins with long sessions login on one page, normal users on another). You could lock the app clients down to certain users using a pre-authentication trigger. That's not a very configurable solution though.

I also wonder what you mean exactly by a session? For example, this would typically mean one of two things. Either your session expires and you have to login again after a fixed length of time (e.g. AWS is 24 hours). Or if you are idle for a certain amount of time (say 30 mins) your session is ended. Could you elaborate on your requirement a bit?

F_SO_K
  • 13,640
  • 5
  • 54
  • 83
  • I need to update the `exp` on the both the access token and the refresh token (The requirement both for a period of inactivity and having to login again after a fixed length of time.) I think I can persuade PM to update to the requirement so that it is not editable per user but tied to groups, and each group uses a separate app client. Thank you! – tofarr Mar 26 '21 at 13:37
  • 1
    You can also do some stuff in the client to actively log users out. For example I use idle-vue to logout users who have been idle for a while. Its not a 'secure' solution in that it could be circumvented. Its not a security problem in that the only 'malicous' thing that could happen is sessions lasting longer. But if you're working on a finance app, probably not acceptable! – F_SO_K Mar 26 '21 at 15:58