TomBell-Trove
commented
2 years ago Network call proof
Closed TomBell-Trove closed 1 year ago
TomBell-Trove
commented
2 years ago Network call proof
div5yesh
commented
1 year ago Please note that REFRESH_TOKEN_AUTH is to get new idToken and accessTokens using a current valid refresh token, however Cognito documentation does not clearly state that. If refresh token is expired, re-login is required to get new refresh token.
The app must retain the current refresh token until expires to get new accessToken and idToken.
Describe the bug Users of our app are 401'd out 30 days after logging in.
We noticed that the token refresh request (
AWSCognitoIdentityProviderService.InitiateAuth) with"AuthFlow": "REFRESH_TOKEN_AUTH"is not returning an updated refresh token. Therefore the refresh token is never updated/refreshed, and after 30 days the original refresh token was returned users are logged out no matter how often they've been refreshing their access token.The API docs say that a new
RefreshTokenis meant to be returned.This has also been noted by others, eg this StackOverflow post, and this javascript SDK issue.
To Reproduce Steps to reproduce the behavior:
Expected behavior Per docs,
InitiateAuth+REFRESH_TOKEN_AUTHshould return an updatedRefreshTokenas part of step 3 above, and step 5's should use the new refresh token to successfully get a new access token (and refresh token) and the call should succeed.Screenshots If applicable, add screenshots to help explain your problem.
Environment(please complete the following information):
Device Information (please complete the following information):