The authorization server MAY issue a new refresh token, in which
case the client MUST discard the old refresh token and replace it
with the new refresh token. The authorization server MAY revoke the
old refresh token after issuing a new refresh token to the client.
I had assumed the refresh token itself was never renewed as I never observed AWS Cognito doing so in practice, but the spec is clear here and we want to support a wider variety of IdPs. Renewable refresh tokens would actually be welcome in Cognito as then we could limit their lifetime to be much closer to the max session age we set. Or perhaps Cognito does renew them, but only as necessary and we've never happened to notice this issue!
Reading the OAuth 2.0 spec again¹, I noted that:
I had assumed the refresh token itself was never renewed as I never observed AWS Cognito doing so in practice, but the spec is clear here and we want to support a wider variety of IdPs. Renewable refresh tokens would actually be welcome in Cognito as then we could limit their lifetime to be much closer to the max session age we set. Or perhaps Cognito does renew them, but only as necessary and we've never happened to notice this issue!
¹ https://datatracker.ietf.org/doc/html/rfc6749#section-6
Checklist