support different refresh token expiries per user group

Hi,

I have on cognito user pool with 3 user groups, super_admin, facility_admin and facility_user. Our business requirement states that there are different expiry times for each user type. Currently, they are all part of the same Userpool with 1 app client. Thus they all share the same expiry settings.

This forces me to handle the expiry on the client side, which can be problematic (maintaining expiry times that can fail when browser tab goes to sleep etc).

I was look at a couple of options:

• create different app clients with different expiry times and then based on user group type load the correct app client. Not sure if this is possible or hacky. Plus it has a problem, that for example, for the super_admin, we want a refresh token that is shorter than 60 minutes. More like 15 minutes. Which is not supported.
• Use a lambda trigger to change the refresh token expiry? Set a custom expiry that get's renewed when an access Token is renewed? Not sure if this is possible.

Is there a solution that AWS would prefer, which is safe and easy to implement. Surely, I am not the first one to have different expiry times for access and refresh token based on user role?