Implementing refresh and needsRefresh when using chime sdk js and aws sdk js v3

[deepaktammali]

What are you trying to do?

I am using amazon-chime-sdk-js for a messaging application, but after some idle time I get expired token error message.
Messaging Session failed to resolve endpoint: ExpiredTokenException: The security token included in the request is expired

How can the documentation be improved to help your use case?

In Amazon Chime SDK Messaging documentation, It is mentioned If we implement refresh and needsRefresh methods, then aws chime sdk js would automatically refresh the credentails.
https://docs.aws.amazon.com/chime-sdk/latest/dg/handle-disconnects.html

I would like to understand the implementation of refresh and needsRefresh methods so that amazon-chime-sdk-js would automatically refresh the tokens.

What documentation have you looked at so far?

I have looked at the Readme.MD file and also searched for it but was not able to find a solution.

Thank you.

[kmai-amazon]

AWS session credentials are tied to a specific expiration date after which the service will return the ExpiredTokenException you are seeing. Refreshing your credentials will depend on how you are providing your initial credentials.

If, for example, you are using Cognito and their AWS.CognitoIdentityCredentials to retrieve your session credentials, the credential provider already has the .refresh() and .needRefresh() functions implemented and you will just need to call them in your code using one of the code samples found here such as:

var refresh_token = session.getRefreshToken(); // receive session from calling cognitoUser.getSession()
if (AWS.config.credentials.needsRefresh()) {
	cognitoUser.refreshSession(refresh_token, (err, session) => {
		if (err) {
			console.log(err);
		} else {
			AWS.config.credentials.params.Logins[
				'cognito-idp.<YOUR-REGION>.amazonaws.com/<YOUR_USER_POOL_ID>'
			] = session.getIdToken().getJwtToken();
			AWS.config.credentials.refresh(err => {
				if (err) {
					console.log(err);
				} else {
					console.log('TOKEN SUCCESSFULLY UPDATED');
				}
			});
		}
	});
}

If you are retrieving your AWS session credentials from another custom source such as your own identity provider, you will need to implement the .refresh() and .needRefresh() functions to call that provider and retrieve new credentials.

Here is an example that implements those functions calling AWS Cognito to retrieve new credentials.

AWS.config.credentials.needsRefresh = function() {
    return Date.now() > creds.expiration;
}

AWS.config.credentials.refresh = function(cb) {
    console.log("Refresh Cognito IAM Creds");
    Auth.currentUserCredentials().then(getAwsCredentialsFromCognito().then(cb()));
}

[deepaktammali]

Hello,

Thanks for you reply.

I am using Amplify which will fetch the credentials when the user logs in.
I am using Auth.currentCredentials() method from amplify auth to get those credentials and pass them the ChimeSDKMessagingClient from _ @aws-sdk/client-chime-sdk-messaging (aws sdk v3)_

I don't think I have access to AWS namespace.

The credentials config options for ChimeSDKMessagingClient seems to take a function Provider<AwsCredentialIdentity>
that should return the AWS Credentials, currently I am calling the Auth.currentCredentials() in the method and returning the credentials.

would this be called whenever the credentials get expired?

[kmai-amazon]

Under the hood, Amplify integrates with AWS Cognito so the credentials are automatically refreshed when calling Auth.currentCredentials().

So you will need to implement the credential provider which will call Auth.currentCredentials() to retrieve the latest credentials.

You can refer to this comment as an example of how you can implement such a provider. Instead of using

const credentialsThatAreActuallyValidFor1Hour = await this.fetchCredentials();

you can instead use

const credentialsThatAreActuallyValidFor1Hour = await Auth.currentCredentials();

in order to pull the credentials from Amplify and Cognito.

[deepaktammali]

understood, thanks.

[propbox-admin]

@kmai-amazon I tried approach mentioned in your comment link and it didn't work.
I don't understand how it's different from just calling Auth.currentCredentials() directly as credentials param?

new ChimeSDKMessaging({
        region: "us-east-1",
        credentials: Auth.currentCredentials()
      });

Thanks for help.

[deepaktammali]

Hello @admin-zh,

The way I did it is pass a function which is credential provider to the credentials property instead of an object with credentils, the credentials object that is returned by Auth.currentCredentials seems to include an expiration property (I haven't verified, this assumption is based on the return type) but identity pool response when amplify fetches the credentials includes the expiration property

const config: ChimeSDKMessagingClientConfig = {
      credentials: async () => {
        const credentials = await Auth.currentCredentials();
        return credentials;
      },
      region: CHIME_AWS_REGION,
 };

const chimeMessagingClient = new ChimeSDKMessagingClient(config);

[propbox-admin]

@deepaktammali thanks a lot, I tried it and it worked like charm!!