How to modify expiry time of the access and identity tokens for AWS Cognito User Pools

amazon-web-services amazon-cognito aws-cognito

52,118

Solution 1

This is currently not possible to configure for your user pool. They are set to one hour for everyone.

Edit: see Mike's comment, this has recently been added.

Solution 2

As of August 12,2020, AWS has announced that user pools now supports customization of token expiration. Here are the steps to follow:

Open your AWS Cognito console.
Go to General Settings.
Scroll down to App clients and click edit.
Click on Show Details button to see the customization options like below:

Access token expiration must be between 5 minutes and 1 day. Cannot be greater than refresh token expiration.

For further detail on AWS cognito you can follow this link.

Solution 3

Clarification: this reply is about access token (not refresh token)

You can configure token expiration from cognito console General Settings / App Clients / {your app} / Show Details / Refresh token expiration (days)

https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html

By default, the refresh token expires 30 days after your app user signs in to your user pool. When you create an app for your user pool, you can set the app's refresh token expiration (in days) to any value between 1 and 3650.

It seems that currently for the web client there is no option for something less than a day (quite strange).

If you use Mobile SDK then

https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html

The Mobile SDK for Android offers the option to change the minimum validity period of the ID and access tokens to a value between 0 and 30 minutes. See the setRefreshThreshold() method of CognitoIdentityProviderClientConfig in the AWS Mobile SDK for Android API Reference.

Solution 4

I presume the question is how to get get granular control of Cognito session termination. There is a way to do this. But first lets recap how Cognito session management works:

Auth tokens expire after an hour.
A new auth token may be requested upon the issuance of a refresh token.
After 1 to 30 days, Cognito will not issue a refresh token - the number of days is configured per app, in the App Client Settings.

So what can you to to get better control of Cognito session length? The answer is to insert a filter in your http request stack that evaluates the request - if the user must be logged out for whatever reason, issue a 302 redirect to the Cognito logout endpoint (and clear your session cookies too).

This is what we do in Kubernetes with Envoy (using a proxy), and also Spring. It also allows you to wire in logic that immediately revokes access to a user before their 1 hour access token expires.

See https://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.html

Solution 5

If you are using CloudFormation template, add the following attribute and specify in days (although the official docs say that it defaults to hours) how long the access token should be valid. Here is an example where Access Token is valid for 24 days.

UserPoolClient:
    Type: "AWS::Cognito::UserPoolClient"
    Properties:
        ClientName: myuserpoolclient
        GenerateSecret: true
        UserPoolId: !Ref YourUserPool
        AccessTokenValidity: 24

Documentation: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPoolClient.html#CognitoUserPools-CreateUserPoolClient-request-AccessTokenValidity

View more solutions

52,118

Author by

Luca

Updated on October 08, 2020

Comments

Luca over 3 years

I can't find any documentation which explains if and how to modify the expiry time of access and identity tokens for AWS Cognito User Pools.

The documentation specifies that by default expires 1h after the emission.

Is there a way to modify the expiry time?
Dan over 5 years

A year and a half later I wonder if anything has changed concerning expiry of ID & ACCESS tokens? I can't seem to find any changes to the documentation but I figured I'd ask here and move on.
Dave over 5 years

Yeah this is a feature i would love to have to TESTING. It is currently difficult to test logout / token expiration scenarios.
Abhishek Balani about 5 years

The question is about access token, not refresh token.
Ali Akram about 5 years

if i have a refresh token how do i get token if my token expires in i hour ?
roger over 4 years

My usecase is such that we have configured our Cognito user pool to federate authentication to my company's SAML provider and login happens via SSO. Now, when a user changes their group memberships in the company's user management solution, how do we ensure that this impacts the user's ability to use the web application as the Cognito tokens are not refreshed from the company's user management solution. We are considering having a logout button to achieve this. However, we also want to prevent the current Cognito session to be everlasting, how can we achieve this ?
Rori Stumpf over 4 years

The groups are embedded in the token. So to get an updated group, you need to get a new token. You should be able to redirect your user to the login flow and that should refresh it for you. I tried that and it worked for me.
Rori Stumpf over 4 years

Also, the Cognito session is not everlasting. It is possible to set the number of days in the App Client Settings. If you want to control the session expiry more than that, implement logout and redirect the user to logout when the session needs to be killed. I use an http filter to do that. The exact mechanism will depend on the stack you are using.
roger over 4 years

Yes, the Cognito token does contain the groups. And you are right that in order to get an updated group, we need to get a new token. The question is, how does the app know that new groups are available and hence, customers should be redirected to the login flow ? The default behavior is that idToken and accessToken are valid for an hour and refreshToken is valid for 30 days. Once the idToken expires, refreshToken just refreshes the token without actually fetching a new idToken which would have the new groups.
ecoe over 4 years

but for SPA applications that have no alternative but to store the refresh token in the browser due to Cognito's limitations, it's not so simple.
ecoe over 4 years

@AliAkram as of 10/3/2019, after 1 hour your access token expires and you then need to use the refresh token to issue a renewed access token. But be careful for how you store the refresh token...
ecoe over 4 years

@Jeff Bailey has the Cognito team considered SPA applications, for which refresh tokens cannot be securely stored in the browser for and 1 hour expire for access token is typically inconvenient for a user? Would be enormously appreciated by many SPA developers to securely keep users authenticated for more than an hour.
TahoeWolverine over 4 years

@Neil reviewing the function of the "refresh threshold", it appears to actually be the leniency factor for the token's expiration, not the lifespan itself. Looking at CognitoIdentityProviderClientConfig.java, you see that this value must be between min (0ms) and max (1,800,000ms or 30min) with default (300,000ms or 5min). I have observed that id tokens do not start being rejected within the sdks (or in server APIs) until 5 minutes passes, which might be what the threshold is for. But it does not appear to be relevant to this discussion, unless you are looking between 60 and 90 minutes.
Guillermo Garcia over 4 years

In that case, I can recommend you some mix up of Cognito + APIGateway. docs.aws.amazon.com/apigateway/latest/developerguide/… Then you could interact with Cognito User Pools Auth API docs.aI cws.amazon.com/cognito/latest/developerguide/token-endpoint.‌html
ecoe over 4 years

My point is that refresh tokens should be stored securely (e.g. ideally on a private server, encrypted database), but SPA applications usually have limited infrastructure, and because tokens expire in 1 hour, there's no avoiding storing Cognito refresh tokens in the client's browser, which is not secure.
trusktr almost 4 years

@ecoe Just curious, why can't we securely store refresh tokens in an SPA?
trusktr almost 4 years

What if you just want to test that your auth refresh works, without waiting an hour?
ecoe almost 4 years

@trusktr See docs for access tokens and refresh alike. Access tokens must be kept confidential in transit and in storage. The only parties that should ever see the access token are the application itself, the authorization server, and resource server.
Mike Fogel over 3 years

UPDATE 2020/08: you can now edit the lifetime of the access, id and refresh tokens for cognito user pools. aws.amazon.com/about-aws/whats-new/2020/08/…
steviesh over 3 years

finally! took the cognito team long enough -- still a huge related issue is that Cognito still doesnt allow invalidation of all tokens on an api call
chrylis -cautiouslyoptimistic- over 3 years

And as of December 30, this is no longer available. (This answer was correct when posted, and I used it.)
Al Hill over 3 years

Thank you, I wasn't capable of finding it :)
Haziq over 3 years

@chrylis-cautiouslyoptimistic- Though I am still able to use this option, Do you have any reference to the claim that this option is no longer available?
chrylis -cautiouslyoptimistic- over 3 years

@MHaziq It disappeared from my console.
Wayneio over 3 years

@MikeFogel that's great news but the link doesn't tell you how to do it
DJG22 over 2 years

@chrylis-cautiouslyoptimistic- it still shows on my console.