AWS Amplify Auth
June 16, 2022
When you call Auth.signIn()
and Auth.signOut()
what is Amplify abstracting away from us? How is Amplify managing our authentication state?
Amplify is doing this by manipulating values in local storage or cookies. When you successfully authenticate, 6 values get set in local storage. Then, when you sign out, these values get destroyed.
Storage values
Upon successful authentication, the library adds 6 values to local storage (or cookies if you customize the config).
There are 6 token types:
accessToken
— "The purpose of the access token is to authorize API operations in the context of the user in the user pool." (Source)clockDrift
— "The saved computer's clock drift or undefined to force calculation." I don't understand how this is applied. Something to do with expiry?idToken
— "contains claims about the identity of the authenticated user, such as name, email, and phone_number" (Source)refreshToken
— Credentials used to obtain access tokens. When an access token expires, the refresh token is used to get a new one without asking the user to sign in again. From the AWS docs, "You can use the refresh token to retrieve new ID and access tokens."userData
— Contains information about the user such as name, email, and username.LastAuthUser
— "needed for computing other key names"
Naming convention
Each of these token types is used as part of the naming convention.
The docs define the shape of the storage keys as:
${ProviderPrefix}.${userPoolClientId}.${username}.${tokenType}
Here's an example:
CognitoIdentityServiceProvider.2agop4ldjtnjhng1of7752uh73.554a1dff-ab1e-4cf8-d95f-1c10b4d7700.accessToken
In this example,
CognitoIdentityServiceProvider
is theProviderPrefix
.2agop4ldjtnjhng1of7752uh73
is the user pool client ID.554a1dff-ab1e-4cf8-d95f-1c10b4d7700
is the username.accessToken
is the token type.