AWS Cognito and the Tradeoff Between Convenience and Security in Token Renewal
Wednesday, 12 April 2023
AWS Cognito is a fully managed service that provides user authentication, authorisation, and user management for web and mobile applications. One of its features is using refresh tokens to renew access tokens. Refresh tokens are long-lived tokens that can be used to obtain new access tokens without requiring users to re-enter their credentials.
However, AWS Cognito does not allow for the renewal of refresh tokens themselves. This is because refresh tokens are more powerful than access tokens. If a refresh token were to be compromised, an attacker could obtain new access tokens indefinitely, giving them ongoing access to the user's resources.
AWS Cognito requires a valid refresh token to mitigate this risk to obtain a new access token. By doing so, AWS Cognito ensures that the user still possesses the refresh token and has not been compromised. However, AWS Cognito does not allow the renewal of refresh tokens themselves because doing so could extend the lifespan of a compromised refresh token, increasing the risk of an attacker obtaining ongoing access to a user's resources.
In conclusion, AWS Cognito's approach to using refresh tokens to renew access tokens but not allowing for the renewal of refresh tokens is designed to balance the need for convenience with security. By requiring a valid refresh token to obtain a new access token, AWS Cognito helps protect users' resources from unauthorised access.