Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Why do I receive the "Invalid Refresh Token" error in my Cognito user pool API?

3 minute read
1

I want to troubleshoot an "Invalid Refresh Token" error in my Amazon Cognito user pool API.

Resolution

You used a different app client ID than the refresh token

When a user authenticates with the AdminInitiateAuth API, the InitiateAuth API, or the hosted UI, the app client ID serves as the ClientId parameter. If you use a different app client ID than the one that issued the refresh token, then the API returns an "Invalid Refresh Token" error.

To resolve this error, use the same app client ID that issued the original refresh token when you call the AdminInitiateAuth or InitiateAuth API.

You have an unconfirmed device with device tracking on

If you turn on device tracking for a user pool but don't confirm the device, then you receive the "Invalid Refresh Token" error when you try to get new tokens.

To resolve this error, call the ConfirmDevice API to confirm the device and begin device tracking. Then, use the refresh token to get new access and ID tokens. For more information, see Setting up remembered devices.

You have a missing device key in the authentication parameters

When you turn on device tracking for a user pool, Amazon Cognito returns a unique device key after successful authentication. To get new tokens with a refresh token, include the device key in the following authentication request:

{  "AuthFlow": "REFRESH_TOKEN_AUTH",
  "AuthParameters": {
    "REFRESH_TOKEN": "example_refresh_token",
    "SECRET_HASH": "example_secret_hash",  
    "DEVICE_KEY": "example_device_key"
  }
}

Note: Replace example_refresh_token, example_secret_hash, and example_device_key with your own values.

If your app client uses a client secret, then include the SECRET_HASH parameter in the AuthParameters. This verifies that the request comes from your application.

If the device key doesn't pass as one of the AuthParameters, then you receive the "Invalid Refresh Token" error. To resolve the error, make sure to include the device key as AuthParameters in the AdminInitiateAuth or InitiateAuth API.

You have device tracking on, but use USER_PASSWORD_AUTH authentication flow

When you use the USER_PASSWORD_AUTH authentication flow with device tracking turned on the user pool, you receive the access, ID, and refresh tokens. However, if you attempt to get new tokens with the refresh token, then you receive the "Invalid Refresh Token" error. The USER_PASSWORD_AUTH flow doesn't support token refresh when you turn on device tracking.

To resolve this error, use the USER_SRP_AUTH authentication flow and then refresh the tokens.

Related information

Refresh tokens

Authentication with Amazon Cognito user pools

Application-specific settings with app clients

Tracking and remembering devices using Amazon Cognito Your User Pools

Topics
Security, Identity, & Compliance
Tags
Amazon Cognito
Language
English
AWS OFFICIALUpdated 3 months ago
1 Comment

How to refresh token generated using USER_PASSWORD_AUTH even when Device tracking is "opt-in" ? it fails with "Invalid Refresh Token" error. I think USER_PASSWORD_AUTH should provide a way to opt out of device registration.

replied 3 months ago

Relevant content