How to modify expiry time of the access and identity tokens for AWS Cognito User Pools

Amazon Web-ServicesAmazon CognitoAws Cognito

Amazon Web-Services Problem Overview

I can't find any documentation which explains if and how to modify the expiry time of access and identity tokens for AWS Cognito User Pools.

The documentation specifies that by default expires 1h after the emission.

Is there a way to modify the expiry time?

Amazon Web-Services Solutions

Solution 1 - Amazon Web-Services

As of August 12,2020, AWS has announced that user pools now supports customization of token expiration. Here are the steps to follow:

  1. Open your AWS Cognito console.
  2. Go to General Settings.
  3. Scroll down to App clients and click edit.
  4. Click on Show Details button to see the customization options like below: Token Expiry Customization Screen

> Access token expiration must be between 5 minutes and 1 day. Cannot be greater than refresh token expiration.

For further detail on AWS cognito you can follow this link.

Solution 2 - Amazon Web-Services

This is currently not possible to configure for your user pool. They are set to one hour for everyone.

Edit: see Mike's comment, this has recently been added.

Solution 3 - Amazon Web-Services

Clarification: this reply is about access token (not refresh token)

You can configure token expiration from cognito console General Settings / App Clients / {your app} / Show Details / Refresh token expiration (days)

> https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html > > By default, the refresh token expires 30 days after your app user > signs in to your user pool. When you create an app for your user pool, > you can set the app's refresh token expiration (in days) to any value > between 1 and 3650.

It seems that currently for the web client there is no option for something less than a day (quite strange).

If you use Mobile SDK then

> https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html > > The Mobile SDK for Android offers the option to change the minimum > validity period of the ID and access tokens to a value between 0 and > 30 minutes. See the setRefreshThreshold() method of > CognitoIdentityProviderClientConfig in the AWS Mobile SDK for Android > API Reference.

Solution 4 - Amazon Web-Services

I presume the question is how to get get granular control of Cognito session termination. There is a way to do this. But first lets recap how Cognito session management works:

  1. Auth tokens expire after an hour.
  2. A new auth token may be requested upon the issuance of a refresh token.
  3. After 1 to 30 days, Cognito will not issue a refresh token - the number of days is configured per app, in the App Client Settings.

So what can you to to get better control of Cognito session length? The answer is to insert a filter in your http request stack that evaluates the request - if the user must be logged out for whatever reason, issue a 302 redirect to the Cognito logout endpoint (and clear your session cookies too).

This is what we do in Kubernetes with Envoy (using a proxy), and also Spring. It also allows you to wire in logic that immediately revokes access to a user before their 1 hour access token expires.

See https://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.html

Solution 5 - Amazon Web-Services

If you are using CloudFormation template, add the following attribute and specify in days (although the official docs say that it defaults to hours) how long the access token should be valid. Here is an example where Access Token is valid for 24 days.

UserPoolClient:
    Type: "AWS::Cognito::UserPoolClient"
    Properties:
        ClientName: myuserpoolclient
        GenerateSecret: true
        UserPoolId: !Ref YourUserPool
        AccessTokenValidity: 24

Documentation: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPoolClient.html#CognitoUserPools-CreateUserPoolClient-request-AccessTokenValidity

Solution 6 - Amazon Web-Services

Cognito uses the OAuth 2.0 Specification. In order to renew an expired token, you will need to use the Refresh Token value to get a new Id Token.

  1. To get authenticated at the start the user id and password are collected from the user and sent to Cognito.
  2. You get back two tokens. One you use to "access" the API and one you use to "refresh" when the access expires.
  3. You don't need to ask the user to input a user id and password again; you just need to use the "refresh" token.
  4. You don't need to store the clear text of the password (which would create a security risk) because the "refresh" token will get you a new access token.

It's really quite simple. Further information in the Cognito documentation to Refresh Tokens

Categories
Recommended Amazon Web-Services Solutions
Recommended Amazon Cognito Solutions
Recommended Aws Cognito Solutions

Previous Solution:

Unsupported Media Type in postman

SpringSpring SecurityJwtSpring Security-Oauth2

Next Solution:

SameSite cookie in Java application

JavaCookiesCsrfFlags

Attributions

All content for this solution is sourced from the original question on Stackoverflow.

The content on this page is licensed under the Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) license.

Content TypeOriginal AuthorOriginal Content on Stackoverflow
QuestionLucaView Question on Stackoverflow
Solution 1 - Amazon Web-ServicesHaziqView Answer on Stackoverflow
Solution 2 - Amazon Web-ServicesJeff BaileyView Answer on Stackoverflow
Solution 3 - Amazon Web-ServicesNeilView Answer on Stackoverflow
Solution 4 - Amazon Web-ServicesRori StumpfView Answer on Stackoverflow
Solution 5 - Amazon Web-ServicesIhor ShyloView Answer on Stackoverflow
Solution 6 - Amazon Web-ServicesGuillermo GarciaView Answer on Stackoverflow