oauth-2.0amazon-cognitorefresh-token

Aws Cognito Oauth2: Refresh token rotation


We're using Aws Cognito with Oauth 2.0 and we're wondering, if cognito supports Refresh Token Rotation according to the Oauth 2.0 specification (https://www.rfc-editor.org/rfc/rfc6819):

The basic idea is to change the refresh token value with every refresh request in order to detect attempts to obtain access tokens using old refresh tokens

When we're using the Aws .net sdk to refresh our tokens:

await user.StartWithRefreshTokenAuthAsync(authRequestRefresh).ConfigureAwait(false);

...we're not getting a new refresh token back. The only way to get a new refresh token, is by doing a new login:

await user.StartWithSrpAuthAsync(authRequest).ConfigureAwait(false);

Solution

  • Cognito doesn't support refresh token rotation. You can however change the number of days a refresh token stays valid for an app client.