5
votes

I have an app that obtains 3 tokens from the AWS Cognito User Pool TOKEN endpoint using Authorization Code Flow. It receives an ID_TOKEN an ACCESS_TOKEN and a REFRESH_TOKEN.

The app uses the ID_TOKEN to obtain CognitoAWSCredentials on an Identity Pool:

var credentials = new CognitoAWSCredentials(IdentityPoolId, Region);
credentials.AddLogin("cognito-idp.<region>.amazonaws.com/<UserPoolId>", ID_TOKEN);

After some time the credentials stop working, and calling any method on a AWS Client throws NotAuthorizedException, as would be expected, the tokens expire after 1 hour.

It was my understanding that when a token expires, one can use the TOKEN endpoint again and pass the REFRESH_TOKEN to get back new tokens. That's useful, if it can be avoided, I'd rather not sign out the app user and force them to go through the OAUTH authentication flow again.

So I've tried to refresh the token, HTTP POST to /oauth2/token, same request header as when I first obtained the tokens, but slightly different request body ?grant_type=refresh_token&client_id=xxx&refresh_token=xxx

and I get back an ID_TOKEN and ACCESS_TOKEN but no REFRESH_TOKEN.

1- Is that expected? Does that mean the same REFRESH_TOKEN is used after 2 hours to refresh a second time? Or is that a subtle clue the TOKEN endpoint is giving me that something went wrong with refreshing (a better clue would have been for the endpoint to return an error...)

2- The new ID_TOKEN when examined carefully, is identical to the old ID_TOKEN. Is that expected, why didn't the TOKEN endpoint return a new ID_TOKEN? (When I use that new ID_TOKEN to create new CognitoAWSCredentials, I get credentials that are useless. They throw exceptions the first time I access any AWS Client. Indeed they are already expired since the new ID_TOKEN is the old one.)

3- Should I be using the ACCESS_TOKEN instead of the ID_TOKEN, and how would I get CognitoAWSCredentials using an ACCESS_TOKEN?

4- CognitoAWSCredentials are actually RefreshingAWSCredentials, do those actually automatically refresh, how?

1

1 Answers

0
votes

Refresh tokens are used to refresh the id and access tokens, which are only valid for an hour. You can use the id token or the access token in your downstream services, although API Gateway, for example, requires you to pass in the id token.

And you should be using our official mobile SDKs when you're working with Cognito so as not to worry about refreshing tokens, since they will do that for you.