There is an inconsistency in handling user tokens by cognito-local and "real" AWS Cognito.
InitiateAuth API call with USER_PASSWORD_AUTH flow returns tokens, namely: AccessToken, IdToken, RefreshToken.
If AdminDisableUser is called after that - user tokens are invalidated. As per documentation:
Deactivates a user and revokes all access tokens for the user.
If a new InitiateAuth is attempted after that with REFRESH_TOKEN_AUTH flow and a token saved from p1 - real AWS Cognito returns an error, due to the token being revoked.
On the other hand, cognito-local does not revoke tokens after p2 and the second InitiateAuth (p3) completes successfully.
There is an inconsistency in handling user tokens by cognito-local and "real" AWS Cognito.
InitiateAuth API call with USER_PASSWORD_AUTH flow returns tokens, namely: AccessToken, IdToken, RefreshToken.
If AdminDisableUser is called after that - user tokens are invalidated. As per documentation:
If a new InitiateAuth is attempted after that with REFRESH_TOKEN_AUTH flow and a token saved from p1 - real AWS Cognito returns an error, due to the token being revoked.
On the other hand, cognito-local does not revoke tokens after p2 and the second InitiateAuth (p3) completes successfully.