Amazon Cognito now supports refresh token rotation

Amazon Cognito announces support for OAuth 2.0 refresh token rotation for user pool clients. Refresh tokens are long-lived tokens that allow applications to obtain new access tokens without requiring users to sign in again. With refresh token rotation, you can now configure your user pool clients to automatically replace existing refresh tokens with new ones at regular intervals, which in turn can strengthen your application's security posture. Instead of previously relying on tokens that remain valid for long periods of time, refresh token rotation reduces the window a compromised refresh token could be used. In addition, refresh token rotates automatically in the background allowing your users maintain uninterrupted access without needing to re-authenticate.

In absence of refresh token rotation, customers previously had to choose between long-lived tokens for minimizing user friction caused by re-authentication or short-lived tokens for better protection against risks from compromised tokens. Now, with refresh token rotation, customers can achieve seamless user experience while strengthening their application's security posture by automatically updating user's refresh tokens. For example, in a collaboration app, while users remain logged in for their 30-day session, their refresh tokens can be updated every few hours upon exchanging for new access and ID tokens, limiting the exposure window of any single token.

This feature is available to Amazon Cognito customers using the Essentials or Plus tiers in AWS Regions where Cognito is available, including the AWS GovCloud (US) Regions. To learn more, visit the Cognito Refresh Token Developer Guide.
 

View the full article