Cognito Hosted UI Not Always Returning "event_id" with ID + Access Token

I'm using the Cognito Hosted UI, and I want to associate the session for a user based on when they logged in with username/password. Cognito passes the "event_id" in the token for this. My initial login via /login looks like this:

{
  "at_hash": "74Q6DhYCQucWC88nUFDpkQ",
  "sub": "xxx-0ddc-4891-8a5b-xxx",
  "email_verified": true,
  "iss": "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_xxx",
  "cognito:username": "xxx-0ddc-4891-8a5b-xxx",
  "aud": "xxx",
  "event_id": "5a7530d2-7468-4a37-8c41-01b76ff84189",
  "token_use": "id",
  "auth_time": 1645027556,
  "exp": 1645031156,
  "iat": 1645027556,
  "email": "xxx@xxx.xxx"
}

Great, I have the "event_id", I can save that and associate subsequent refreshes with the initial login.

I then refresh the token using the Cognito API at https://cognito-idp.us-east-1.amazonaws.com with "AWSCognitoIdentityProviderService.InitiateAuth" and "AuthFlow":"REFRESH_TOKEN_AUTH". I then get this:

{
  "at_hash": "-f9VejQpIylT9HckhBiwUw",
  "sub": "xxx-0ddc-4891-8a5b-xxx",
  "email_verified": true,
  "iss": "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_xxx",
  "cognito:username": "xxx-0ddc-4891-8a5b-xxx",
  "aud": "xxx",
  "event_id": "5a7530d2-7468-4a37-8c41-01b76ff84189",
  "token_use": "id",
  "auth_time": 1645027556,
  "exp": 1645031218,
  "iat": 1645027618,
  "email": "xxx@xxx.xxx"
}

Looks great, still have the original "event_id" with a new refresh. I want to simplify my application and just route the user to the /oauth2/authorize page on the Hosted UI to handle refreshes for me. This way, I just have one place in my app to manage all authentication (either initial or refreshes). However, when I redirect the user to the Hosted UI authorize endpoint, I get a new token but loose the "event_id":

{
  "at_hash": "FvGQF9t6TfPkJ1unSWdRWg",
  "sub": "xxx-0ddc-4891-8a5b-xxx",
  "aud": "xxx",
  "email_verified": true,
  "token_use": "id",
  "auth_time": 1645027749,
  "iss": "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_xxx",
  "cognito:username": "xxx-0ddc-4891-8a5b-xxx",
  "exp": 1645031349,
  "iat": 1645027749,
  "email": "xxx@xxx.xxx"
}

I assume something is wrong here. I can do a refresh through the API and get the original authentication "event_id" again, but it will never come back from the Hosted UI again, unless I login again (and thus get a new "event_id").

This situation is true for both IdTokens and AccessTokens.

Thanks!

Topics

Security, Identity, & Compliance

Relevant content

How do I correctly authorize API Gateway with a Cognito user pool WITHOUT the hosted UI.
Accepted Answer
chanson
asked 2 months ago
Programmatic login using cognito hosted ui
systematicguy
asked a year ago
Is the Cognito hosted UI browser session length configurable?
Accepted Answer
beckett_j
asked a year ago
Cognito Hosted UI to Custom UI
Accepted Answer
Siva_R
asked 3 years ago
How do I configure the hosted web UI for Amazon Cognito?
AWS OFFICIALUpdated a year ago
How do I revoke JWT tokens in Amazon Cognito using the AWS CLI?
AWS OFFICIALUpdated a year ago
How can I access the Spark UI in Amazon EMR?
AWS OFFICIALUpdated a year ago
How do I reset user passwords in Amazon Cognito using the AWS CLI?
AWS OFFICIALUpdated a year ago
How to use JWT tokens for authorization with AWS KMS in NodeJs Lambdas
EXPERT
Antonio_Lagrotteria
published a month ago
AWS Cognito Finally Supports Custom Claims for Access Tokens
EXPERT
Antonio_Lagrotteria
published a month ago