Cognito user pool (with device tracking ON): Session refresh fails with error - "Invalid Refresh Token"Β #1789
Description
Issue
Using refresh token with Cognito user pool in an attempt to fetch new ID and access token fails, despite sending device key in the request. The user pool has device tracking enabled. The refresh token is still valid for another 30 days in this particular instance (it works when I switch OFF device tracking on the user pool).
What was attempted
I am trying to retrieve new ID and access tokens using cognito refresh token, through the InitiateAuth API. The user pool on cognito has device tracking enabled. Based on this SO answer and this AWS forums discussion, I added the DEVICE_KEY parameter for REFRESH_TOKEN_AUTH auth flow. As per the documentation, I dont see any other required AuthParameters in the request.
The initiate auth payload being sent out is as follows (refresh token is truncated, device key and client id are masked):
Initiating refresh request:
{
"AuthFlow" : "REFRESH_TOKEN_AUTH",
"AuthParameters" : {
"DEVICE_KEY" : "us-east-1_11111111-1111-111a-1111-11a1111bc0",
"REFRESH_TOKEN" : "eyJjdHkiOiJKV1QiLC..."
},
"ClientId" : "123abcdefghi123"
}
Result
NotAuthorizedException - Invalid Refresh Token
What else was attempted
When I disabled device tracking on the cognito user pool, the refresh token works fine and is able to retrieve new access/ID tokens.