ADMIN_NO_SRP_AUTH + Rotating Refresh Tokens --> Invalid Refresh Token

[enchorb]

Checkboxes for prior research

• [x] I've gone through Developer Guide and API reference
• [x] I've checked AWS Forums and StackOverflow.
• [x] I've searched for previous similar issues and didn't find any solution.

Describe the bug

Refresh token from ADMIN_NO_SRP_AUTH does not work with rotating refresh tokens getTokensFromRefreshToken . Get the error NotAuthorizedException - Invalid Refresh Token.

Regression Issue

• [ ] Select this option if this issue appears to be a regression.

SDK version number

@aws-sdk/[email protected]

Which JavaScript Runtime is this issue in?

Node.js

Details of the browser/Node.js/ReactNative version

v22.16.0

Reproduction Steps

Pass refresh token from cognitoIdentityProvider.adminInitiateAuth({ AuthFlow: 'ADMIN_NO_SRP_AUTH', ... }) to cognitoIdentityProvider.getTokensFromRefreshToken

Observed Behavior

 err: {
      "type": "NotAuthorizedException",
      "message": "Invalid Refresh Token.",
      "stack":
          NotAuthorizedException: Invalid Refresh Token.
              at de_NotAuthorizedExceptionRes (D:\Code\node_modules\@aws-sdk\client-cognito-identity-provider\dist-cjs\index.js:4792:21)
              at de_CommandError (D:\Code\node_modules\@aws-sdk\client-cognito-identity-provider\dist-cjs\index.js:4419:19)
              at processTicksAndRejections (node:internal/process/task_queues:105:5)
              at D:\Code\node_modules\@smithy\middleware-serde\dist-cjs\index.js:36:20
              at D:\Code\node_modules\@smithy\core\dist-cjs\index.js:193:18
              at D:\Code\node_modules\@smithy\middleware-retry\dist-cjs\index.js:320:38
              at data (D:\Code\node_modules\@aws-sdk\middleware-logger\dist-cjs\index.js:33:22)
              at data (D:\\Code\\dist\apps\backend\flow\webpack:\libs\core\src\functions\utils.ts:40:9)
              at t.tokenHandler (D:\\Code\\dist\apps\backend\flow\webpack:\libs\backend\auth\src\handlers\oauth.ts:319:11)
      "name": "NotAuthorizedException",
      "$fault": "client",
      "$metadata": {
        "httpStatusCode": 400,
        "requestId": "2c81fed1-47e1-49b3-9a34-29a5840bc256",
        "attempts": 1,
        "totalRetryDelay": 0
      },
      "__type": "NotAuthorizedException"
    }

Expected Behavior

Refresh token works

Possible Solution

No response

Additional Information/Context

No response

[aBurmeseDev]

Hi @enchorb - thanks for reaching out.

This error typically occurs because of how refresh tokens work with Cognito's different authentication flows. When using ADMIN_NO_SRP_AUTH, you should use adminInitiateAuth followed by adminRespondToAuthChallenge for refreshing tokens, not getTokensFromRefreshToken.

If you're still getting the error, check:

• The refresh token's validity
• Whether token rotation is enabled in your user pool
• The app client settings in Cognito to ensure refresh tokens are allowed

[enchorb]

When passing in the refresh token to cognitoIdentityProvider.adminInitiateAuth({AuthFlow: 'REFRESH_TOKEN', ...}) we get the error UnsupportedOperationException" - This API does not support refresh token rotation. Also from initial testing it doesn't look like adminInitiateAuth passes along the ClientMetadata to the pre_token_generation lambda while getTokensFromRefreshToken does.