Closed TomBell-Trove closed 1 year ago
Network call proof
Please note that REFRESH_TOKEN_AUTH
is to get new idToken
and accessTokens
using a current valid refresh token, however Cognito documentation does not clearly state that. If refresh token is expired, re-login is required to get new refresh token.
The app must retain the current refresh token until expires to get new accessToken and idToken.
Describe the bug Users of our app are 401'd out 30 days after logging in.
We noticed that the token refresh request (
AWSCognitoIdentityProviderService.InitiateAuth
) with"AuthFlow": "REFRESH_TOKEN_AUTH"
is not returning an updated refresh token. Therefore the refresh token is never updated/refreshed, and after 30 days the original refresh token was returned users are logged out no matter how often they've been refreshing their access token.The API docs say that a new
RefreshToken
is meant to be returned.This has also been noted by others, eg this StackOverflow post, and this javascript SDK issue.
To Reproduce Steps to reproduce the behavior:
Expected behavior Per docs,
InitiateAuth
+REFRESH_TOKEN_AUTH
should return an updatedRefreshToken
as part of step 3 above, and step 5's should use the new refresh token to successfully get a new access token (and refresh token) and the call should succeed.Screenshots If applicable, add screenshots to help explain your problem.
Environment(please complete the following information):
Device Information (please complete the following information):