aws-amplify
Refresh Token Rotation implementation
Is this related to a new or existing framework?
No response
Is this related to a new or existing API?
Authentication
Is this related to another service?
Cognito
Describe the feature you'd like to request
On April the rotation of refresh tokens was added as a feature, as per this post https://aws.amazon.com/about-aws/whats-new/2025/04/amazon-cognito-refresh-token-rotation/ since it can be used let's implement it in the library
Describe the solution you'd like
I suggest to add it to the fetchAuthSession({ forceRefresh: true }) or to add another parameter to make it happen.
Describe alternatives you've considered
Additional context
No response
Is this something that you'd be interested in working on?
- [ ] 👋 I may be able to implement this feature request
- [ ] ⚠️ This feature might incur a breaking change
Hi @Alevale ,
Thanks for reaching out! I will talk with the team internally and see what we can do. Will post updates as soon as we have any.
Hey @sc0ttdav3y, we are still working on this and will get back to you once we have an update
We're also looking forward to this being implemented. May I ask if there're any update please?
Hello @hihilary. We cannot provide specific updates, but we are happy for your interest. We will let you know when we have more information
Hey! Just adding to the other messages, we're looking forward to this being implemented too :)
Hey, We released the change to support token rotation, to activate refresh token rotation you would need to make the changes through cdk:
const backend = defineBackend({
auth
});
const { cfnResources } = backend.auth.resources;
const { cfnUserPoolClient } = cfnResources;
// Make sure you do not enable `REFRESH_TOKEN_AUTH ` flow
cfnUserPoolClient.explicitAuthFlows = [
"ALLOW_USER_PASSWORD_AUTH",
"ALLOW_USER_SRP_AUTH",
"ALLOW_CUSTOM_AUTH"
];
cfnUserPoolClient.refreshTokenRotation = {
feature: "ENABLED",
retryGracePeriodSeconds: 60
}
or directly through the Cognito Console. Before we update the docs we want to wait until backend officially supports this.
Please note
- This will not work for older clients which still use
REFRESH_TOKEN_AUTHThis is mostly a problem on react native and mobile apps. - Make sure to use version >= [email protected]. release details
Will close this ticket. Please feel free to re-open if you have any questions or encounter any issues.
@osama-rizk "Quick question" on this, is there any official documentation on how to implement this?
I'm looking to implement this on the FE client, but IDK if the implementation highlighted in https://github.com/aws-amplify/amplify-js/issues/14396#issuecomment-3112643889 would work, since we don't have a backend client and we go to AWS directly from the FE.
AFAIK on the client code it all depends on how it was specified on the AWSConfig (following snippet)
export const AwsConfig = {
'Auth': {
'Cognito': {
'userPoolId': 'XXX',
'userPoolClientId': 'YYY',
'mandatorySignIn': false,
'signUpVerificationMethod': 'code',
'authenticationFlowType': 'CUSTOM_AUTH',
'loginWith': {
'oauth': {
'domain': 'dev.auth.eu-central-1.amazoncognito.com',
'scopes': [
'email',
'openid',
'phone',
'profile'
],
'redirectSignIn': [
'http://localhost:8080/apps/login',
'https://example.com/apps/login'
],
'redirectSignOut': [
'http://localhost:8080/apps/logout',
'https://example.com/apps/logout',
],
'responseType': 'code'
}
}
}
}
}
which then gets passed to Amplify.configure(awsConfig);
Once Amplify has been setup the tokens can be retrieved from
const authSession = await fetchAuthSession();
const { accessToken, idToken } = authSession.tokens ?? {};
Am I missing something?
Alright, I see that there's been added the option of "Enable refresh token rotation" on the console. Which I guess is the way to do it on AWS side, and then if using [email protected] or higher it would happen automatically right?