Why do Cognito tokens expire so quickly (15 mins) when used with federated identities

1
votes

I want to use Cognito & Google login for my applications. I think the way to use that is federated identities?

I think I need to use GetId and GetOpenIdToken to get a Cognito token for my Google user? This works but

The OpenId token is valid for 15 minutes.

Why is this token expiry so short? Is it meant for such a use case - a normal REST API? I intend to use it with API Gateway.

UPDATE

I found http://serverless-stack.com/chapters/cognito-user-pool-vs-identity-pool.html to provide a useful explaination of Federated Identity vs User Pools. Its not the same thing like I thought.

  • User Pool: handles authentication, forgot password etc
  • Federated Identity: Gives access to users from user pool, social logins access to AWS resources
1
amazon-web-servicesamazon-cognito

1 Answers

1
votes

It's short lived because it's primarily intended to be passed back to get AWS credentials. If you're using the '3 hop', old flow, it's the response from GetOpenIdToken and given to AssumeRoleWithWebIdentity.

The recommended flow is to use the 'enhanced flow', which takes that out of the equation. The API GetCredentialsForIdentity gets the token and gets credentials in one API, never giving the token back. You can integrate with APIGW this way, via the credentials themselves.