aws-sdk-js-v3 icon indicating copy to clipboard operation
aws-sdk-js-v3 copied to clipboard

Published 20 hours ago verified publisher icon aws

Method initiateAuth does not return updated RefreshToken in response.

Open Mifrill opened this issue 3 years ago • 4 comments

Describe the bug

When initiateAuth called the AuthenticationResult does not contain RefreshToken.

import { CognitoIdentityProvider } from '@aws-sdk/client-cognito-identity-provider'

const client = new CognitoIdentityProvider({ region: 'eu-west-1' })
const results = await client.initiateAuth({
  AuthFlow: 'REFRESH_TOKEN',
  ClientId: clientId,
  AuthParameters: {
    REFRESH_TOKEN: refreshToken
  }
})

According to documentation https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html:

Response Syntax
{
   "[AuthenticationResult](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html#CognitoUserPools-InitiateAuth-response-AuthenticationResult)": { 
      "[AccessToken](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AuthenticationResultType.html#CognitoUserPools-Type-AuthenticationResultType-AccessToken)": "string",
      "[ExpiresIn](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AuthenticationResultType.html#CognitoUserPools-Type-AuthenticationResultType-ExpiresIn)": number,
      "[IdToken](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AuthenticationResultType.html#CognitoUserPools-Type-AuthenticationResultType-IdToken)": "string",
      "[NewDeviceMetadata](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AuthenticationResultType.html#CognitoUserPools-Type-AuthenticationResultType-NewDeviceMetadata)": { 
         "[DeviceGroupKey](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_NewDeviceMetadataType.html#CognitoUserPools-Type-NewDeviceMetadataType-DeviceGroupKey)": "string",
         "[DeviceKey](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_NewDeviceMetadataType.html#CognitoUserPools-Type-NewDeviceMetadataType-DeviceKey)": "string"
      },
      "[RefreshToken](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AuthenticationResultType.html#CognitoUserPools-Type-AuthenticationResultType-RefreshToken)": "string",
      "[TokenType](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AuthenticationResultType.html#CognitoUserPools-Type-AuthenticationResultType-TokenType)": "string"
   },
   "[ChallengeName](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html#CognitoUserPools-InitiateAuth-response-ChallengeName)": "string",
   "[ChallengeParameters](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html#CognitoUserPools-InitiateAuth-response-ChallengeParameters)": { 
      "string" : "string" 
   },
   "[Session](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html#CognitoUserPools-InitiateAuth-response-Session)": "string"
}

It's Required: No

RefreshToken
The refresh token.

Type: String

Pattern: [A-Za-z0-9-_=.]+

Required: No

As I understand or we should not have RefreshToken property in response or we should have it as string but not undefined.

Expected Behavior

Expect a new RefreshToken.

Current Behavior

AuthenticationResult.RefreshToken === undefined

Reproduction Steps

https://github.com/Mifrill/bug-reproduce-aws-sdk-js-v3-missing-refresh-token

Follow the steps in README.md

Output:

{
  '$metadata': {
    httpStatusCode: 200,
    requestId: 'FILTERED_OUT',
    extendedRequestId: undefined,
    cfId: undefined,
    attempts: 1,
    totalRetryDelay: 0
  },
  AuthenticationResult: {
    AccessToken: 'FILTERED_OUT',
    ExpiresIn: 3600,
    IdToken: 'FILTERED_OUT',
    NewDeviceMetadata: undefined,
    RefreshToken: undefined,
    TokenType: 'Bearer'
  },
  ChallengeName: undefined,
  ChallengeParameters: {},
  Session: undefined
}
--------------------------------------------------------------
Expect updated RefreshToken that !== process.env.REFRESH_TOKEN
--------------------------------------------------------------

Possible Solution

No response

Additional Information/Context

Possible duplicate of https://github.com/aws/aws-sdk-js-v3/issues/3548.

About note:

The example code you are trying to run looks like the V2 of the of the JS SDK but the package your referring to is V3 so the error might be coming from there.

It's not clear how to send this request for V3 version. I did try this way with no success: const client = new CognitoIdentityProvider({ region: 'eu-west-1', apiVersion: '2016-04-18' })

Note:

Apparently this is a bug in the AWS Cognito API. The docs say that InitiateAuth should return an updated RefreshToken, but it does not.

Source: https://stackoverflow.com/questions/55069851/how-to-get-refresh-token-auth-request-to-return-refreshtoken

SDK version used

"@aws-sdk/client-cognito-identity-provider": "version": "3.130.0"

Environment details (OS name and version, etc.)

node -v v16.13.0

Mifrill avatar Jul 15 '22 13:07 Mifrill

Is there any update on this? I am also having this same issue. Same node version and "@aws-sdk/client-cognito-identity-provider": "3.145.0"

davidvpe avatar Aug 10 '22 20:08 davidvpe

I think I figured why this is happening, This is my personal opinion I am no stating this is how it's actually working.

When you setup your client you add the access token validity.

// CDK Code
const poolClient = userPool.addClient('AwesomePool', {
      ...otherProps,
      accessTokenValidity: Duration.days(1),
    })

This is the duration that will be applied once the token is refreshed the first time.

To summarise...

  1. The token that gets returned when you call AdminInitAuth or InitAuth the first time, is only valid for 1 hour and will come with a refresh token.
  2. If you use your refresh token, then you wont get another one, because the new token will be valid for the duration specified in accessTokenValidity so in total, you will get

First time: 1 hour After refresh: 1 day (as per my cdk code)

Total: 25 hours of validity.

davidvpe avatar Aug 10 '22 21:08 davidvpe

Hi @Mifrill ,

Im able to reproduce your experience and confirm that once initiateAuth with REFRESH_TOKEN flow type have been supplied with a fresh refreshToken, we don't get a new refresh token contradictory to what the docs say:

REFRESH_TOKEN_AUTH/REFRESH_TOKEN: Authentication flow for refreshing the access token and ID token by supplying a valid refresh token.

Screen Shot 2022-08-26 at 11 31 19 AM

Personal speculation: From my experience with the auth world, refresh tokens are not guaranteed. You not getting back a refresh token can be for many reasons. It is at the discretion of the auth server whether to provide a new token or not. Like @davidvpe mentioned, the token might be still too fresh for the auth server to return a new one contrary to docs.

I will pass it along to the team for further consideration.

RanVaknin avatar Aug 26 '22 18:08 RanVaknin

Hi @RanVaknin, thank you for letting me know, I hope it would be sorted soon by return refresh token according to documentation :+1: .

Mifrill avatar Aug 26 '22 18:08 Mifrill