AWS Cognito: why is access token able to be decoded but the refresh token decodes to unreadable strings?

Question

I am using AWS Cognito for my web app.

I logged into my webapp and got the access / refresh tokens from browser dev mode.

The access token can be decoded on https://jwt.io/:

The header is

{
  "kid": "M+aYDxi5AeOrvlUkPyNA5GmA4V8ZdTPPnr5wO6M1neU=",
  "alg": "RS256"
}

The payload is:

{
  "origin_jti": "0cf3100a-bfdd-49e0-bae3-12345678",
  "sub": "1585d704-2985-4447-b265-12345678",
  "event_id": "ead55f68-59d0-4b7f-9bb8-123",
  "token_use": "access",
  "scope": "aws.cognito.signin.user.admin",
  "auth_time": 1646640361,
  "iss": "https://cognito-idp.ap-northeast-1.amazonaws.com/ap-northeast-1_123",
  "exp": 1646640661,
  "iat": 1646640361,
  "jti": "ea239510-8fd4-497d-b2ac-05a0377d63ef",
  "client_id": "123qwe",
  "username": "staff"
}

However, the refresh token is not properly decoded: header:

{
  "cty": "JWT",
  "enc": "A256GCM",
  "alg": "RSA-OAEP"
}

the payload is:

"v�zsV_%������$��\u0014���1��Z�c���hyE�\u0000�\u0001�9W����G�5���\n\nҴ�\t!8Mc\u0000~3}K�4��X=\"�%\u0015�2�\"S,��M��\u0000=S�\u0011r�*H9�}\u0002��t]�xU'�Lk��N\n�xB�Yg�`�m�\n�_�ey��j�o���_�lJ�e^�h\n=�\u001a�V7�!�]�5A\u0014\u0012(3��i(mu���\u0018�c�Y���ׁ��.VC��3�yk6��$b�X�5�C�Q�/���)���=\u001b|a�\u000b\f�\u0015/\u0005\u00057����aߨ`�B�.�\u000f�(]�\\�\u0007G�"

It looks like the algo for refresh token is RSA-OAEP and the https://jwt.io/ site does not support this algo yet.

Is there an online tool where I can get the refresh token properly decoded?

Answer 1

The refresh token payload is encrypted because it's not for you. Its contents are only meant for the authorization server, which will be able to decrypt it. You only use the refresh token to request a new access token when yours expires.

You can learn how to use the refresh token in the AWS docs, and get an overview of how they work on the OAuth site.