1 Answer
- Newest
- Most votes
- Most comments
1
Hi,
Cognito doesn't validate with external IdP during refresh token flow, if the refresh token that is issued by Cognito is still valid, end-user can continue to get new access and id tokens from Cognito without needing to re-authenticate with the external IdP.
If you have a use-case that requires validation with external IdP then I'd recommend using a short-lived refresh token (1 hour is the shortest TTL for refresh token) and this will force sign-in when token expires.
Relevant content
- asked 3 years ago
- asked a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated 2 years ago
Thanks! That's what I assumed. In my case, I'd like to keep the long-lived refresh tokens for user convenience so I'm looking at ways to know if a federated identity has changed. Apple and Google both have some options:
https://developer.apple.com/documentation/sign_in_with_apple/processing_changes_for_sign_in_with_apple_accounts https://developers.google.com/identity/protocols/risc