Skip to content

feat(cognito): support refresh token rotation #34360

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 50 commits into from
Aug 25, 2025
Merged

feat(cognito): support refresh token rotation #34360

merged 50 commits into from
Aug 25, 2025

Conversation

@iridescent99
Copy link
Contributor

@iridescent99 iridescent99 commented May 5, 2025
edited
Loading

Issue # (if applicable)

Closes #34344

Reason for this change

Cognito added support for short-lived refresh tokens.

Description of changes

Added refreshTokenRotationGracePeriod property to UserPoolClient

Describe any new or updated permissions being added

NA

Description of how you validated changes

Unit + integration tests

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@github-actions github-actions bot added feature-request A feature should be added or improved. p2 labels May 5, 2025
@aws-cdk-automation aws-cdk-automation requested a review from a team May 5, 2025 20:05
@github-actions github-actions bot added the beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK label May 5, 2025
@iridescent99 iridescent99 marked this pull request as draft May 5, 2025 20:05
@iridescent99 iridescent99 changed the title Draft: feat(cognito): Support for refresh token feat(cognito): Support for refresh token May 5, 2025
aws-cdk-automation
aws-cdk-automation previously requested changes May 5, 2025
View reviewed changes
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(This review is outdated)

@iridescent99 iridescent99 changed the title feat(cognito): Support for refresh token feat(cognito): Support refresh token rotation May 5, 2025
@iridescent99 iridescent99 changed the title feat(cognito): Support refresh token rotation feat(cognito): support refresh token rotation May 15, 2025
@aws-cdk-automation aws-cdk-automation dismissed their stale review May 16, 2025 16:59

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

@mergify mergify bot dismissed leonmk-aws’s stale review July 30, 2025 18:31

Pull request has been modified.

@aws-cdk-automation aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Jul 30, 2025
@iridescent99
Copy link
Contributor Author

Thanks! This okay?

leonmk-aws
leonmk-aws previously approved these changes Jul 31, 2025
View reviewed changes
Copy link
Contributor

@leonmk-aws leonmk-aws left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Small comment, feel free to add your opinion on it

packages/aws-cdk-lib/aws-cognito/lib/user-pool-client.ts Outdated
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-refresh-token.html#using-the-refresh-token-rotation
* @default - undefined (refresh token rotation is disabled)
*/
readonly refreshTokenGracePeriod?: Duration;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think having the variable named refreshTokenRotationGracePeriod would bring visibility that this is only effective when using refresh token rotation because people could get confused that this sets a grace period when not using the refresh token rotation feature. Also I think updating the documentation to make it clear that this enables the refresh token rotation feature would be valuable (the README is very clear in that regard, but having it here as well would be important even if the link to the doc is provided).

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To be more clear: before the changes of yesterday, it was very clear for the user that this field only is only effective when enabling refresh token rotation and I feel that when flattening we slightly lost this clarity and we can improve this.

Copy link
Contributor Author

@iridescent99 iridescent99 Aug 1, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's fair, I was having doubts about the description here as well. Sorry about the name, I didnt read that correctly.

So I will change the name to refreshTokenRotationGracePeriod.
and for the description this ok?

Enables refresh token rotation when set.
Defines the grace period for the original refresh token (0-60 seconds).

Can I still push these changes after approval?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, you can make changes after approval

@aws-cdk-automation aws-cdk-automation removed the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Jul 31, 2025
@mergify
Copy link
Contributor

mergify bot commented Aug 4, 2025

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@ozelalisen ozelalisen self-assigned this Aug 4, 2025
@mergify
Copy link
Contributor

mergify bot commented Aug 4, 2025

This pull request has been removed from the queue for the following reason: pull request branch update failed.

The pull request can't be updated.

You should update or rebase your pull request manually. If you do, this pull request will automatically be requeued once the queue conditions match again.
If you think this was a flaky issue, you can requeue the pull request, without updating it, by posting a @mergifyio requeue comment.

@mergify mergify bot dismissed leonmk-aws’s stale review August 6, 2025 19:24

Pull request has been modified.

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: 83e770a
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@aws-cdk-automation aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Aug 6, 2025
ozelalisen
ozelalisen previously requested changes Aug 14, 2025
View reviewed changes
Copy link
Member

@ozelalisen ozelalisen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you resolve merge conflicts?

@mergify mergify bot dismissed ozelalisen’s stale review August 16, 2025 18:50

Pull request has been modified.

ozelalisen
ozelalisen previously approved these changes Aug 25, 2025
View reviewed changes
Copy link
Member

@ozelalisen ozelalisen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@mergify
Copy link
Contributor

mergify bot commented Aug 25, 2025

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify
Copy link
Contributor

mergify bot commented Aug 25, 2025

This pull request has been removed from the queue for the following reason: pull request branch update failed.

The pull request can't be updated.

You should update or rebase your pull request manually. If you do, this pull request will automatically be requeued once the queue conditions match again.
If you think this was a flaky issue, you can requeue the pull request, without updating it, by posting a @mergifyio requeue comment.

@mergify mergify bot dismissed ozelalisen’s stale review August 25, 2025 08:55

Pull request has been modified.

@mergify
Copy link
Contributor

mergify bot commented Aug 25, 2025

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify mergify bot merged commit 74f8ad9 into aws:main Aug 25, 2025
21 checks passed
@github-actions
Copy link
Contributor

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 25, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@leonmk-aws leonmk-aws leonmk-aws left review comments

@ozelalisen ozelalisen ozelalisen approved these changes

@aws-cdk-automation aws-cdk-automation aws-cdk-automation left review comments

Assignees

@ozelalisen ozelalisen

@leonmk-aws leonmk-aws

Labels

beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK feature-request A feature should be added or improved. p2 pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

(cognito): Support refresh token rotation

4 participants

@iridescent99 @aws-cdk-automation @leonmk-aws @ozelalisen