using cognito refresh token

Question

hi,
i am using cognito (not hosted UI) for authentication. when i login with username and password i can store the access token to cookie but i am not able to store refresh token in cookie. this is the code:

refresh_token = response['AuthenticationResult']['RefreshToken']

access_token = response['AuthenticationResult']['AccessToken']

headers = {

'Location': '/Prod/auth/profile',

'Set-Cookie': f'refresh_token={refresh_token}; Path=/; Secure; HttpOnly',

'Set-Cookie': f'access_token={access_token}; Path=/; Secure; HttpOnly',

}

but like i said this code just puts access_token. i tried a lot of variant but i am not able. how do you handle this?

moreover, how do you handle refresh token? like me (putting it too cookie)?

Answer

i just pass username and password to this function in my lambda:

```
def authenticate_user(username, password):
    client = boto3.client('cognito-idp')

response = client.initiate_auth(
        ClientId='MyclientId',
        AuthFlow='USER_PASSWORD_AUTH',
        AuthParameters={
            'USERNAME': username,  # Use the appropriate attribute for username
            'PASSWORD': password
        }
    )
    return response
```

then i take tokens from the response as follow:

```
def get_tokens(response):

if response.get('AuthenticationResult'):
        access_token = response['AuthenticationResult']['AccessToken']
        id_token = response['AuthenticationResult']['IdToken']
        refresh_token = response['AuthenticationResult'].get('RefreshToken')
        return {
            'access_token': access_token,
            'id_token': id_token,
            'refresh_token': refresh_token
        }
    else:
        print("Login unsuccessful")
        return None
```
And after getting tokens i redirect user to profile page and want to save the tokens as cookies:

```
def redirect_to_profile(refresh_token, access_token):
    path = os.path.join(os.getcwd(), "templates", "profile.html")
    with open(path, "r") as f:
        contents = f.read()

headers = {
        'Location': '/Prod/auth/profile',
        'Set-Cookie': f'refresh_token={refresh_token}; Path=/; Secure; HttpOnly',
        'Set-Cookie': f'access_token={access_token}; Path=/; Secure; HttpOnly',
    }

return {
        'statusCode': 302,
        'headers': headers,
        'body': contents
    }
```

But like i said here just the last token can be stored as cookie. access_token for above and refresh token for below.

```
headers = {
        'Location': '/Prod/auth/profile',
        'Set-Cookie': f'access_token={access_token}; Path=/; Secure; HttpOnly',
        'Set-Cookie': f'refresh_token={refresh_token}; Path=/; Secure; HttpOnly',
    }
```
i just want to store all tokens...
And by the way i am not sure setting all tokens as cookies is a good programming way

Answer

Hi,

First of all, have you checked that the response contains the `refresh_token` before setting it in the cookie? On the other hand, which [authentication flow](https://aws.amazon.com/blogs/mobile/understanding-amazon-cognito-user-pool-oauth-2-0-grants/) are you using? Note that no refresh token is returned during an implicit grant type.

using cognito refresh token

관련 콘텐츠