Reputation: 545
AWS Cognito refreshing tokens against a different user pool also returns valid tokens
I was trying the AWS CLI for cognito.
I have a refresh token issued by user pool, let's say "A" with client ID "clientA".
I used this against a different user pool "B" in the same region. I specified client ID as "clientA" instead of B's own. This command worked and returned new access and ID tokens successfully.
$ aws cognito-idp admin-initiate-auth --user-pool-id "B"
--region eu-west-1 --client-id clientA --auth-flow
REFRESH_TOKEN_AUTH --auth-parameters "REFRESH_TOKEN=<refresh-token-from-A>"
It seems like AWS Cognito does not really use the "user-pool-id" parameter and only considers the client ID. Or otherwise this is a security loophole.
Upvotes: 2
Views: 229
Answers (1)
Reputation: 8464
The documentation isn't massively clear about this, but the REFRESH_TOKEN flow does not use the client-id or user-pool-id as these are effectively provided by the Refresh Token itself. (Although the body won't validate without them...)
If you do some further commands on the CLI you'll see that the tokens you got back from that command only allow you to act as the originally issued client-id/user-pool-id.
Upvotes: 2
Related Questions
- Cognito User Pool: How to refresh Access Token using Refresh Token
- Cognito User Pools & Access Tokens
- How do AWS Cognito Authentication tokens refresh
- AWS Cognito TOKEN Endpoint giving a 400 Bad Request error "unauthorized_client"
- Cognito Refresh Token Expires prematurely
- AWS Cognito - Why is token still valid even User pool is changed or User is deleted (.Net core)
- Aws Cognito no refresh token after login
- Refresh Token AWS Cognito User Pool
- AWS Cognito - getSessionInBackground fails when ID token needs refreshing
- Call to AWSCognitoIdentityService.GetId for Cognito User Pools returns "Token is not from a supported provider of this identity pool."