Cognito Identity Pool Client - Refresh Token Validity

InvokedLambda · August 11, 2024, 7:57pm

Hi all,

To the background:
Im using the latest localstack pro docker image to develop a web application. I deploy it locally with terraform. I use a cognito user pool and client for the user authentication and an apigateway rest endpoint and a lambda function as a proxy which just forward the requests to cognito (if needed, I could share the source code but I think this is not the problem here). I host also inside the localstack docker container an angular static website (client-side) on a s3 bucket with route53 and cloudfront.

The problem:
When I authenticate my user with the angular amplify module and the cognito user pool client over the lambda function proxy, everything works fine and the id- access- and refresh-token will be stored in the browser cookie. When I now wait the time until the refresh token should be invalid (in my case 1 hour), I was still able to refresh the id and access token. I posted the cognito config below. Does someone know, if this feature is not implemented in localstack or if I configured cognito the wrong way?

Thanks for any help

ps. I was not able to test it on the real aws cloud yet

Cognito config:

resource "aws_cognito_user_pool" "user_pool" {
  name = "${var.project}-user-pool-${var.namespace}"

  username_attributes      = ["email"]
  auto_verified_attributes = ["email"]

  password_policy {
    minimum_length    = 8
    require_lowercase = true
    require_numbers   = true
    require_symbols   = true
    require_uppercase = true
  }

  email_configuration {
    email_sending_account = "DEVELOPER"
    source_arn = var.ses_domain_identity_arn
    from_email_address = "noreply@${var.domain}"
  }

  verification_message_template {
    default_email_option = "CONFIRM_WITH_CODE"
    email_subject        = "Account Confirmation"
    email_message        = "Thank you for your registration. Your confirmation code is {####}"
  }

    lambda_config {
    post_confirmation = var.lambda_post_confirmation_arn
  }

  account_recovery_setting {
    recovery_mechanism {
      name     = "verified_email"
      priority = 1
    }
  }

  schema {
    attribute_data_type      = "String"
    developer_only_attribute = false
    mutable                  = true
    name                     = "email"
    required                 = true

    string_attribute_constraints {
      min_length = 1
      max_length = 256
    }
  }

  tags = {
    Name = "${var.project}-user-pool-${var.namespace}"
  }
}

resource "aws_cognito_user_pool_client" "client" {
  name = "${var.project}-cognito-client-${var.namespace}"

  user_pool_id    = aws_cognito_user_pool.user_pool.id
  generate_secret = true

  access_token_validity  = 10
  id_token_validity      = 10
  refresh_token_validity = 1

  token_validity_units {
    access_token  = "minutes"
    id_token      = "minutes"
    refresh_token = "hours"
  }

  prevent_user_existence_errors = "ENABLED"

  explicit_auth_flows = [
    "ALLOW_REFRESH_TOKEN_AUTH",
    "ALLOW_USER_SRP_AUTH"
  ]
}

Topic		Replies	Views
Possible incompatibility of authentication API between aws-amplify and LocalStack Platform localstack	6	66	August 15, 2024
Questions about LocalStack (Cognito) localstack	0	247	January 22, 2024
Invoke PreTokenGenerationLambda from Cognito with V2 Trigger Platform localstack	3	237	February 15, 2024
Cognito migration lambda doesn't assign Username correctly Platform localstack	1	30	August 12, 2024
DefineAuthChallenge lambda is called with incorrect request session Platform localstack	1	22	August 12, 2024

Cognito Identity Pool Client - Refresh Token Validity

Related topics