How do I troubleshoot an "Invalid Refresh Token" error from my Amazon Cognito user pool API?

3 minute read
0

I need information about how to troubleshoot the "Invalid Refresh Token" error that's returned by the Amazon Cognito user pool API.

Short description

Refresh tokens issued by an Amazon Cognito user pool are used to retrieve new access and ID tokens. A request for a new access and ID token using the refresh token might fail with an "Invalid Refresh Token" error for the following reasons:

  • You're using a different app client ID than the one that issued the refresh token.
  • Your device tracking is turned on and the device isn't confirmed with the ConfirmDevice API.
  • Your device tracking is turned on and you aren't passing a device key as AuthParameters in the AdminInitiateAuth or InitiateAuth API.
  • Your device tracking is turned on and you obtained a refresh token using the USER_PASSWORD_AUTH authentication flow.

Resolution

You're using a different app client ID than the one that issued the refresh token

When a user authenticates using the AdminInitiateAuth API, the InitiateAuth API, or the hosted UI, the app client ID is used as the ClientId parameter. You must use the same app client ID to refresh the tokens using the AdminInitiateAuth or InitiateAuth API.

If you use a different app client ID, then the API to refresh the tokens fail with the "Invalid Refresh Token" error.

Your device tracking is turned on and the device isn't confirmed with the ConfirmDevice API

When device tracking is turned on for a user pool, you must call the ConfirmDevice API to confirm the device and begin device tracking. When you confirm the device, you can then use the refresh token to get new access and ID tokens.

For more information, see How do I use remembered devices in my Amazon Cognito user pool?

If you don't confirm the device, and you call the AdminInitiateAuth or InitiateAuth API for new tokens, then you receive the "Invalid Refresh Token" error.

Your device tracking is turned on and you aren't passing a device key as AuthParameters in the AdminInitiateAuth or InitiateAuth API

When you turn on device tracking for a user pool, a unique device key is returned after successfully authenticating. When you try to get new tokens using the refresh token, you must pass the device key as AuthParameters in the AdminInitiateAuth or InitiateAuth API.

Note: Replace example_refresh_token, example_secret_hash, and example_device_key with your own values.

{
  "AuthFlow": "REFRESH_TOKEN_AUTH",
  "AuthParameters": {
    "REFRESH_TOKEN": "example_refresh_token",
    "SECRET_HASH": "example_secret_hash",  
    "DEVICE_KEY": "example_device_key"
  }
}

The SECRET_HASH is one of the required AuthParameters when your app client is configured with a client secret.

If the device key isn't passed as one of the AuthParameters, you receive the "Invalid Refresh Token" error.

Your device tracking is turned on and you obtained a refresh token using the USER_PASSWORD_AUTH authentication flow

The user pool device tracking feature can only be used with the USER_SRP_AUTH authentication flow. The initial authentication using the AdminInitiateAuth API, the InitiateAuth API, or the hosted UI must use the USER_SRP_AUTH flow.

When you use the USER_PASSWORD_AUTH authentication flow, you receive the access, ID, and refresh tokens. But, when you attempt to get new tokens using the refresh token, you receive the "Invalid Refresh Token" error.


AWS OFFICIAL
AWS OFFICIALUpdated a year ago