Cognito Refresh Token - Invalid Token Response

[jitsunen]

I am using the V2 SDK to do admin initiated auth and refresh token.
I am using ADMIN_NO_SRP_AUTH flow type to authenticate a user using username, password and it works fine.

I then try to use the returned refresh token to make another call to cognito with auth flow type REFRESH_TOKEN_AUTH and I get back a response saying "Invalid Refresh Token. (Service: CognitoIdentityProvider, Status Code: 400, Request ID: 9d635f71-b8fa-49ef-8237-14d5ba9fbc3c)".

Please note the app client id I am using doesn't have an app client secret configured. "Remember user's device" config is set to "User Opt In". MFA is turned off.

Expected Behavior

Refresh token should succeed

Current Behavior

AWS returns a http status 400 for refresh token.

Possible Solution

Steps to Reproduce (for bugs)

Authenticate code:

 Map<String, String> authParams = Map.of("USERNAME", authenticationRequest.getUserName(),
                "PASSWORD", authenticationRequest.getPassword());
        var req = AdminInitiateAuthRequest
                .builder()
                .authFlow(AuthFlowType.ADMIN_NO_SRP_AUTH)
                .userPoolId(userPoolId)
                .clientId(clientId)
                .authParameters(authParams)
                .build();
        var client = CognitoIdentityProviderClient.builder().build();
        var res = client.adminInitiateAuth(req);
        var authRes = res.authenticationResult();

Code for refresh token:

 Map<String, String> authParams = Map.of("REFRESH_TOKEN", refreshTokenReq.getRefreshToken());
        var req = AdminInitiateAuthRequest
                .builder()
                .authFlow(AuthFlowType.REFRESH_TOKEN_AUTH)
                .userPoolId(userPoolId)
                .clientId(clientId)
                .authParameters(authParams)
                .build();
        var client = CognitoIdentityProviderClient.builder().build();
        var res = client.adminInitiateAuth(req);
        var authRes = res.authenticationResult();

Context

Your Environment

• AWS Java SDK version used: software.amazon.awssdk@2.7.26
• JDK version used: 11
• Operating System and version:

[jitsunen]

I had to pass in the device key, even if the remember user's device is set to "Opt In". Not a bug, thanks.

[sheshpipra]

Hello I tried with same thing in java-sdk with version <1.11.360> but got the below error

com.amazonaws.services.cognitoidp.model.NotAuthorizedException: Invalid Refresh Token. (Service: AWSCognitoIdentityProvider; Status Code: 400; Error Code: NotAuthorizedException; Request ID: be8a58b5-5a20-4cb6-be21-cb06e5e38159)

here is my code ::

final Map<String, String> authParams = new HashMap<>();
authParams.put(USERNAME, authenticationRequest.getUsername());
authParams.put(PASS_WORD, authenticationRequest.getPassword());

		InitiateAuthRequest initiateAuthRequest = new InitiateAuthRequest().withAuthFlow(AuthFlowType.USER_PASSWORD_AUTH).withClientId(cognitoConfig.getClientId());
		InitiateAuthResult result = cognitoClient.initiateAuth(initiateAuthRequest);
		System.out.println("result " + result);
		}catch (Exception e) {
			System.out.println(e);
		}

		
		
		//test the refresh token
		try {

		final Map<String, String> authParams1 = new HashMap<>();
		authParams1.put("REFRESH_TOKEN", "");

		final AdminInitiateAuthRequest authRequest1 = new AdminInitiateAuthRequest();
		authRequest1.withAuthFlow(AuthFlowType.REFRESH_TOKEN).withClientId(cognitoConfig.getClientId())
				.withUserPoolId(cognitoConfig.getPoolId()).withAuthParameters(authParams1);
		AdminInitiateAuthResult result1 = cognitoClient.adminInitiateAuth(authRequest1);
		System.out.println("result " + result1);
		} catch (Exception e) {
			System.out.println(e);
		}

for me I make device tracking is Always
please check and suggest me If I am missing something..