I have an app that obtains 3 tokens from the AWS Cognito User Pool TOKEN endpoint using Authorization Code Flow. It receives an ID_TOKEN an ACCESS_TOKEN and a REFRESH_TOKEN.
The app uses the ID_TOKEN to obtain CognitoAWSCredentials
on an Identity Pool:
var credentials = new CognitoAWSCredentials(IdentityPoolId, Region);
credentials.AddLogin("cognito-idp.<region>.amazonaws.com/<UserPoolId>", ID_TOKEN);
After some time the credentials stop working, and calling any method on a AWS Client throws NotAuthorizedException
, as would be expected, the tokens expire after 1 hour.
It was my understanding that when a token expires, one can use the TOKEN endpoint again and pass the REFRESH_TOKEN to get back new tokens. That's useful, if it can be avoided, I'd rather not sign out the app user and force them to go through the OAUTH authentication flow again.
So I've tried to refresh the token, HTTP POST to /oauth2/token
, same request header as when I first obtained the tokens, but slightly different request body
?grant_type=refresh_token&client_id=xxx&refresh_token=xxx
and I get back an ID_TOKEN and ACCESS_TOKEN but no REFRESH_TOKEN.
1- Is that expected? Does that mean the same REFRESH_TOKEN is used after 2 hours to refresh a second time? Or is that a subtle clue the TOKEN endpoint is giving me that something went wrong with refreshing (a better clue would have been for the endpoint to return an error...)
2- The new ID_TOKEN when examined carefully, is identical to the old ID_TOKEN. Is that expected, why didn't the TOKEN endpoint return a new ID_TOKEN? (When I use that new ID_TOKEN to create new CognitoAWSCredentials, I get credentials that are useless. They throw exceptions the first time I access any AWS Client. Indeed they are already expired since the new ID_TOKEN is the old one.)
3- Should I be using the ACCESS_TOKEN instead of the ID_TOKEN, and how would I get CognitoAWSCredentials using an ACCESS_TOKEN?
4- CognitoAWSCredentials
are actually RefreshingAWSCredentials
, do those actually automatically refresh, how?