Closed newtechfellas closed 6 years ago
itrestian
commented
6 years ago The refresh token flow doesn't require the USERNAME. Did you get that info from the docs? It refreshes tokens for the user that was given the refresh token in the first place.
newtechfellas
commented
6 years ago https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminInitiateAuth.html mentions passing USERNAME for refresh token flow. boto3 client failed when I don't pass username.
itrestian
commented
6 years ago Not entirely sure, I will look into it more. Might be something specific to the client but as you can see here, this SDK doesn't pass the username when refreshing.
https://github.com/aws/amazon-cognito-identity-js/blob/master/src/CognitoUser.js#L984
itrestian
commented
6 years ago I confirmed that in the refresh token flow, the username is not a required parameter as the refresh token can directly be associated with the given user that the token was issued in the first place. You can test this behavior by using the AWS CLI for example and passing just the refresh token.
Refreshtoken retrieved using successful login in ADMIN_NO_SRP_AUTH AuthFlow for userA, is able to fetch new access token for userB. Is this expected? I am using boto3 client to admin_initiate_auth with ADMIN_NO_SRP_AUTH AuthFlow followed by REFRESH_TOKEN_AUTH AuthFlow. But these 2 calls uses different user name.
Does the REFRESH_TOKEN_AUTH AuthFlow not validated the input USERNAME associated with the refresh token?