Understanding the refresh token
You can use the refresh token to retrieve new ID and access tokens. By default, the refresh token expires 30 days after your application user signs into your user pool. When you create an application for your user pool, you can set the application's refresh token expiration to any value between 60 minutes and 10 years.
The Mobile SDK for iOS, Mobile SDK for Android, Amplify for iOS, Android, and Flutter automatically refresh your ID and access tokens if a valid (unexpired) refresh token is present. The ID and access tokens have a minimum remaining validity of 2 minutes. If the refresh token is expired, your app user must re-authenticate by signing in again to your user pool. If the minimum for the access token and ID token is set to 5 minutes, and you are using the SDK, the refresh token will be continually used to retrieve new access and ID tokens. You will see expected behavior with a minimum of 7 minutes instead of 5 minutes.
Your user's account itself doesn't expire, as long as the user has logged in at least once
before the UnusedAccountValidityDays
time limit for new accounts.
Getting new access and identity tokens with a refresh token
Use the API or managed login to initiate authentication for refresh tokens.
To use the refresh token to get new ID and access tokens with the user pools API, use
the AdminInitiateAuth or
InitiateAuth API operations.
Pass REFRESH_TOKEN_AUTH
for the AuthFlow
parameter. In the
AuthParameters
property of AuthFlow
, pass your user's refresh
token as the value of "REFRESH_TOKEN"
. Amazon Cognito returns new ID and access tokens
after your API request passes all challenges.
Note
To use the Amazon Cognito user pools API to refresh tokens for a managed login user, generate an
InitiateAuth
request with the REFRESH_TOKEN_AUTH
flow. This
method of token handling in your application doesn't affect users' managed login sessions.
The API response issues new ID and access tokens, but doesn't renew the managed login
session cookie.
You can also submit refresh tokens to the Token endpoint in a user pool where you have configured a domain. In the
request body, include a grant_type
value of refresh_token
and a
refresh_token
value of your user's refresh token.
Revoking refresh tokens
You can revoke refresh tokens that belong to a user. For more information about revoking tokens, see Ending user sessions with token revocation.
Note
Revoking the refresh token will revoke all ID and access tokens that Amazon Cognito issued from refresh requests with that token.
Users can sign out from all devices where they are currently signed in when you revoke
all of the user's tokens using the GlobalSignOut
and
AdminUserGlobalSignOut
API operations. After the user is signed out, the
following effects happen.
-
The user's refresh token can't get new tokens for the user.
-
The user's access token can't make token-authorized API requests.
-
The user must re-authenticate to get new tokens. Because managed login session cookies don't expire automatically, your user can re-authenticate with a session cookie, with no additional prompt for credentials. After you sign out your managed login users, redirect them to the Logout endpoint, where Amazon Cognito will clear their session cookie.
With refresh tokens, you can persist users' sessions in your app for a long time. Over
time, your users might want to deauthorize some devices where they have signed in,
continually refreshing their session. To sign your user out from a single device, revoke
their refresh token. When your user wants to sign themself out from all authenticated
sessions, generate a GlobalSignOut API request . Your app can present your user with a choice like
Sign out from all devices. GlobalSignOut
accepts a
user's valid–unaltered, unexpired, not-revoked–access token. Because this API
is token-authorized, one user can't use it to initiate sign-out for another user.
You can, however, generate an AdminUserGlobalSignOut API request that you authorize with your AWS credentials
to sign out any user from all of their devices. The administrator application must call this
API operation with AWS developer credentials and pass the user pool ID and the user's
username as parameters. The AdminUserGlobalSignOut
API can sign out any user in
the user pool.
For more information about requests that you can authorize with either AWS credentials or a user's access token, see Amazon Cognito user pools authenticated and unauthenticated API operations.