Thoughts on how to update some custom claims coming from GitHub after the initial authorization in the OIDC flow
athkalia opened this issue · 3 comments
Hello,
Thank you for this amazing library! I am using it successfully in a personal project.
I have a question and I was wondering if you could provide me with your thoughts on how to deal with the following:
(this is more of a Cognito question rather than a question for your wrapper, but I thought I'd give it a shot 🙏)
I have made some changes to this library to fetch some more information from the GitHub API and pass it to Cognito as a custom claim. This is information about which installations of a GitHub application the GitHub user has access to. Every now and then, however, those installations might change as the user might uninstall that particular GitHub application from their GitHub account. Is there a way I can tell Cognito to perform the whole OIDC flow again with Github and this javascript library (deployed as AWS lambdas) that sit between the two? Does Cognito ever check with Github/this Shim again after the first time?
Is this approach correct or am I possibly missing something more fundamental here?
Thanks in advance!
A simpler example would be: If the user updates their name on GitHub, how does that change propagates to Cognito? And is there a mechanism that I can use (or build) to make this propagate within a few seconds?
Yes, Cognito re-auths on login, which will propagate any changes to the user's information through to your user pool (as long as your shim is also exposing those changes). You can see the documentation here: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-oidc-flow.html
After investigating this a bit I think that you first need to logout the Cognito session by hitting the logout endpoint https://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.html , and then re-login to have Cognito reach all the way to GitHub. Otherwise, any authorize requests that happen within 1 hour will not reach github, they will be served by Cognito only.