Skip to content

feat(cognito): support refresh token rotation #34360

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 39 commits into
base: main
Choose a base branch
from

Conversation

iridescent99
Copy link
Contributor

@iridescent99 iridescent99 commented May 5, 2025

Issue # (if applicable)

Closes #34344

Reason for this change

Cognito added support for short-lived refresh tokens.

Description of changes

Added refreshTokenRotation property to UserPoolClient

Describe any new or updated permissions being added

NA

Description of how you validated changes

Unit + integrationt tests

Checklist


By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@github-actions github-actions bot added feature-request A feature should be added or improved. p2 labels May 5, 2025
@aws-cdk-automation aws-cdk-automation requested a review from a team May 5, 2025 20:05
@github-actions github-actions bot added the beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK label May 5, 2025
@iridescent99 iridescent99 marked this pull request as draft May 5, 2025 20:05
@iridescent99 iridescent99 changed the title Draft: feat(cognito): Support for refresh token feat(cognito): Support for refresh token May 5, 2025
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(This review is outdated)

@iridescent99 iridescent99 changed the title feat(cognito): Support for refresh token feat(cognito): Support refresh token rotation May 5, 2025
@iridescent99 iridescent99 changed the title feat(cognito): Support refresh token rotation feat(cognito): support refresh token rotation May 15, 2025
@aws-cdk-automation aws-cdk-automation dismissed their stale review May 16, 2025 16:59

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

@iridescent99 iridescent99 force-pushed the cognito/refresh-token branch from 212351e to 0544a67 Compare June 20, 2025 14:08
Copy link
Contributor

@leonmk-aws leonmk-aws left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you, I have added some comments

* The state of refresh token rotation for the current app client.
* @default - undefined (CloudFormation defaults to DISABLED)
*/
readonly feature?: boolean;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Re-reading this after the change with the boolean: I don't think we need the user to set this field: if the user passes a RefreshTokenRotation property in the UserPoolClientProps then the feature should be considered enabled.

Note: I would still keep the RefreshTokenRotation interface with only retryGracePeriodSeconds in case the service adds new feature.

* Grace period for the original refresh token (0-60 seconds).
* @default - undefined (CloudFormation defaults value)
*/
readonly retryGracePeriodSeconds?: Duration;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because refreshTokenRotation is optional in the UserPoolClientOptions, this field should not be optional.

props.refreshTokenRotation.retryGracePeriodSeconds.toSeconds() > 0 ? 'ENABLED' : 'DISABLED',
retryGracePeriodSeconds: props.refreshTokenRotation.retryGracePeriodSeconds ?
props.refreshTokenRotation.retryGracePeriodSeconds.toSeconds() : 0,
} : undefined,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would move this logic outside of the CfnUserPoolClient creation for better readability (+ if the feature field is removed the logic can be simplified).

@aws-cdk-automation aws-cdk-automation removed the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Jun 23, 2025
@mergify mergify bot dismissed leonmk-aws’s stale review June 24, 2025 14:18

Pull request has been modified.

@aws-cdk-automation aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Jun 24, 2025
@iridescent99
Copy link
Contributor Author

@leonmk-aws Thank you for your patience, I made the changes.

Copy link
Contributor

@leonmk-aws leonmk-aws left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@iridescent99 Added comments, I think you added a bug when making the latest changes

// refreshToken should always be allowed if authFlows are present
authFlows.push('ALLOW_REFRESH_TOKEN_AUTH');
// refreshToken should only be allowed if authFlows are present and refreshTokenRotation is disabled
if (!props.refreshTokenRotation || props.refreshTokenRotation.retryGracePeriodSeconds.toSeconds() === 0) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Your previous implementation was correct, this one is not: when the retryGracePeriodSeconds is set to 0, the feature is still enabled: you get a new refreshtoken and the old refresh token is invalidated immediately.

The condition here should simply be if (!props.refreshTokenRotation)

}
resource.refreshTokenRotation = props.refreshTokenRotation
? {
feature: props.refreshTokenRotation.retryGracePeriodSeconds.toSeconds() > 0 ? 'ENABLED' : 'DISABLED',
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not correct, the feature is enabled even if the grace period is set to 0 (see my comment above)

* Grace period for the original refresh token (0-60 seconds).
* @default - undefined (CloudFormation defaults value)
*/
readonly retryGracePeriodSeconds: Duration;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now that we use a duration type, retryGracePeriod would be a better name.

export interface RefreshTokenRotation {
/**
* Grace period for the original refresh token (0-60 seconds).
* @default - undefined (CloudFormation defaults value)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is no more default anymore

@aws-cdk-automation aws-cdk-automation removed the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Jun 25, 2025
@mergify mergify bot dismissed leonmk-aws’s stale review June 25, 2025 14:57

Pull request has been modified.

@aws-cdk-automation aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Jun 25, 2025
@iridescent99
Copy link
Contributor Author

@leonmk-aws ok another attempt

Copy link
Contributor

@leonmk-aws leonmk-aws left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added one last comment and everything will be good from my side. Then I'll ask for a security review as this is a security sensitive change.

@aws-cdk-automation aws-cdk-automation removed the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Jun 26, 2025
@leonmk-aws leonmk-aws added the needs-security-review Related to feature or issues that needs security review label Jun 26, 2025
@mergify mergify bot dismissed leonmk-aws’s stale review June 26, 2025 17:30

Pull request has been modified.

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: 74421e7
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@aws-cdk-automation
Copy link
Collaborator

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK feature-request A feature should be added or improved. needs-security-review Related to feature or issues that needs security review p2
Projects
None yet
Development

Successfully merging this pull request may close these issues.

(cognito): Support refresh token rotation
3 participants