84

I can't find any documentation which explains if and how to modify the expiry time of access and identity tokens for AWS Cognito User Pools.

The documentation specifies that by default expires 1h after the emission.

Is there a way to modify the expiry time?

Luca
  • 1,159
  • 2
  • 10
  • 18
  • there is a way to configure _Expiration Time_ using CloudFormation, here is the answer (it is still at the bottom of this page): https://stackoverflow.com/a/64242923/1115187 – maxkoryukov Oct 08 '20 at 21:30
  • It is now possible to set Access Token, ID Token, and Refresh Token validities at the client level either using the UI Console, Cloudformation, or SDK (see [`createUserPoolClient`](https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CognitoIdentityServiceProvider.html#createUserPoolClient-property) and [`updateUserPoolClient`](https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CognitoIdentityServiceProvider.html#updateUserPoolClient-property)) – Anjan Biswas Jun 06 '22 at 04:35

7 Answers7

97

As of August 12,2020, AWS has announced that user pools now supports customization of token expiration. Here are the steps to follow:

  1. Open your AWS Cognito console.
  2. Go to App integration.
  3. Scroll down to App clients and click edit.
  4. Click on Show Details button to see the customization options like below:

    Token Expiry Customization Screen

Access token expiration must be between 5 minutes and 1 day. Cannot be greater than refresh token expiration.

For further detail on AWS cognito you can follow this link.

ssuperczynski
  • 3,190
  • 3
  • 44
  • 61
Haziq
  • 2,048
  • 1
  • 16
  • 27
58

This is currently not possible to configure for your user pool. They are set to one hour for everyone.

Edit: see Mike's comment, this has recently been added.

Jeff Bailey
  • 5,655
  • 1
  • 22
  • 30
  • 5
    A year and a half later I wonder if anything has changed concerning expiry of ID & ACCESS tokens? I can't seem to find any changes to the documentation but I figured I'd ask here and move on. – Dan Nov 26 '18 at 19:37
  • 15
    Yeah this is a feature i would love to have to TESTING. It is currently difficult to test logout / token expiration scenarios. – Dave Nov 29 '18 at 19:54
  • if i have a refresh token how do i get token if my token expires in i hour ? – Ali Akram Apr 10 '19 at 07:35
  • @AliAkram as of 10/3/2019, after 1 hour your access token expires and you then need to use the [refresh token](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html) to issue a renewed access token. But be careful for [how you store the refresh token](https://auth0.com/docs/security/store-tokens)... – ecoe Oct 03 '19 at 18:59
  • 3
    @Jeff Bailey has the Cognito team considered SPA applications, for which refresh tokens cannot be securely stored in the browser for and 1 hour expire for access token is typically inconvenient for a user? Would be enormously appreciated by many SPA developers to securely keep users authenticated for more than an hour. – ecoe Oct 03 '19 at 19:10
  • @ecoe Just curious, why can't we securely store refresh tokens in an SPA? – trusktr Jun 02 '20 at 03:40
  • @trusktr [See docs](https://www.oauth.com/oauth2-servers/access-tokens/) for access tokens and refresh alike. `Access tokens must be kept confidential in transit and in storage. The only parties that should ever see the access token are the application itself, the authorization server, and resource server.` – ecoe Jun 02 '20 at 19:34
  • 12
    UPDATE 2020/08: you can now edit the lifetime of the access, id and refresh tokens for cognito user pools. https://aws.amazon.com/about-aws/whats-new/2020/08/amazon-cognito-user-pools-supports-customization-of-token-expiration/ – Mike Fogel Aug 18 '20 at 18:17
  • 3
    @MikeFogel that's great news but the link doesn't tell you how to do it – Wayneio Jan 26 '21 at 16:13
7

Clarification: this reply is about access token (not refresh token)

You can configure token expiration from cognito console General Settings / App Clients / {your app} / Show Details / Refresh token expiration (days)

https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html

By default, the refresh token expires 30 days after your app user signs in to your user pool. When you create an app for your user pool, you can set the app's refresh token expiration (in days) to any value between 1 and 3650.

It seems that currently for the web client there is no option for something less than a day (quite strange).

If you use Mobile SDK then

https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html

The Mobile SDK for Android offers the option to change the minimum validity period of the ID and access tokens to a value between 0 and 30 minutes. See the setRefreshThreshold() method of CognitoIdentityProviderClientConfig in the AWS Mobile SDK for Android API Reference.

Community
  • 1
  • 1
Neil
  • 7,482
  • 6
  • 50
  • 56
  • 13
    The question is about access token, not refresh token. – Abhishek Balani Mar 25 '19 at 07:24
  • 1
    @Neil reviewing the function of the "refresh threshold", it appears to actually be the leniency factor for the token's expiration, not the lifespan itself. Looking at CognitoIdentityProviderClientConfig.java, you see that this value must be between min (0ms) and max (1,800,000ms or 30min) with default (300,000ms or 5min). I have observed that id tokens do not start being rejected within the sdks (or in server APIs) until 5 minutes passes, which might be what the threshold is for. But it does not appear to be relevant to this discussion, unless you are looking between 60 and 90 minutes. – TahoeWolverine Dec 03 '19 at 20:31
7

I presume the question is how to get get granular control of Cognito session termination. There is a way to do this. But first lets recap how Cognito session management works:

  1. Auth tokens expire after an hour.
  2. A new auth token may be requested upon the issuance of a refresh token.
  3. After 1 to 30 days, Cognito will not issue a refresh token - the number of days is configured per app, in the App Client Settings.

So what can you to to get better control of Cognito session length? The answer is to insert a filter in your http request stack that evaluates the request - if the user must be logged out for whatever reason, issue a 302 redirect to the Cognito logout endpoint (and clear your session cookies too).

This is what we do in Kubernetes with Envoy (using a proxy), and also Spring. It also allows you to wire in logic that immediately revokes access to a user before their 1 hour access token expires.

See https://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.html

Rori Stumpf
  • 1,912
  • 19
  • 26
  • My usecase is such that we have configured our Cognito user pool to federate authentication to my company's SAML provider and login happens via SSO. Now, when a user changes their group memberships in the company's user management solution, how do we ensure that this impacts the user's ability to use the web application as the Cognito tokens are not refreshed from the company's user management solution. We are considering having a logout button to achieve this. However, we also want to prevent the current Cognito session to be everlasting, how can we achieve this ? – roger Oct 01 '19 at 06:19
  • The groups are embedded in the token. So to get an updated group, you need to get a new token. You should be able to redirect your user to the login flow and that should refresh it for you. I tried that and it worked for me. – Rori Stumpf Oct 02 '19 at 15:50
  • Also, the Cognito session is not everlasting. It is possible to set the number of days in the App Client Settings. If you want to control the session expiry more than that, implement logout and redirect the user to logout when the session needs to be killed. I use an http filter to do that. The exact mechanism will depend on the stack you are using. – Rori Stumpf Oct 02 '19 at 15:52
  • Yes, the Cognito token does contain the groups. And you are right that in order to get an updated group, we need to get a new token. The question is, how does the app know that new groups are available and hence, customers should be redirected to the login flow ? The default behavior is that idToken and accessToken are valid for an hour and refreshToken is valid for 30 days. Once the idToken expires, refreshToken just refreshes the token without actually fetching a new idToken which would have the new groups. – roger Oct 02 '19 at 17:25
  • What if you just want to test that your auth refresh works, without waiting an hour? – trusktr Jun 02 '20 at 05:00
4

Updated answer (as of Dec 13, 2022):

  1. Open your AWS Cognito Console (don't switch back to old console)
  2. Click "User pools"
  3. Click the User pool you'd like to configure
  4. You should see tabs: "Users, Groups, Sign-in experience, Sign-up experience, Messaging, App integration, User pool properties". Select "App integration".
  5. Scroll to the bottom where you see the App client list
  6. Select the relevant app client
  7. You should see "App client information". Tap edit.

Finally, you should see an input for "Refresh token expiration".

Rahul Nallappa
  • 181
  • 2
  • 9
3

If you are using CloudFormation template, add the following attribute and specify in days (although the official docs say that it defaults to hours) how long the access token should be valid. Here is an example where Access Token is valid for 24 days.

UserPoolClient:
    Type: "AWS::Cognito::UserPoolClient"
    Properties:
        ClientName: myuserpoolclient
        GenerateSecret: true
        UserPoolId: !Ref YourUserPool
        AccessTokenValidity: 24

Documentation: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPoolClient.html#CognitoUserPools-CreateUserPoolClient-request-AccessTokenValidity

Ihor Shylo
  • 572
  • 5
  • 12
1

Cognito uses the OAuth 2.0 Specification. In order to renew an expired token, you will need to use the Refresh Token value to get a new Id Token.

  1. To get authenticated at the start the user id and password are collected from the user and sent to Cognito.
  2. You get back two tokens. One you use to "access" the API and one you use to "refresh" when the access expires.
  3. You don't need to ask the user to input a user id and password again; you just need to use the "refresh" token.
  4. You don't need to store the clear text of the password (which would create a security risk) because the "refresh" token will get you a new access token.

It's really quite simple. Further information in the Cognito documentation to Refresh Tokens

Community
  • 1
  • 1
Guillermo Garcia
  • 2,396
  • 1
  • 18
  • 23
  • but for SPA applications that have no alternative but to store the refresh token in the browser [due to Cognito's limitations, it's not so simple](https://github.com/aws/amazon-cognito-auth-js/issues/92). – ecoe Oct 03 '19 at 18:54
  • In that case, I can recommend you some mix up of Cognito + APIGateway. https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-integrate-with-cognito.html Then you could interact with Cognito User Pools Auth API https://docs.aI cws.amazon.com/cognito/latest/developerguide/token-endpoint.html – Guillermo Garcia Dec 11 '19 at 02:27
  • 1
    My point is that refresh tokens should be stored securely (e.g. ideally on a private server, encrypted database), but SPA applications usually have limited infrastructure, and because tokens expire in 1 hour, there's no avoiding storing Cognito refresh tokens in the client's browser, which is not secure. – ecoe Dec 11 '19 at 13:45