Skip to content

feat(cognito): support refresh token rotation #34360

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 50 commits into from
Aug 25, 2025
Merged

feat(cognito): support refresh token rotation #34360

Changes from 1 commit
Commits
Show all changes
50 commits
Select commit Hold shift + click to select a range
b52d6de
interface
May 5, 2025
e4a01f1
refresh token rotation
iridescent99 May 15, 2025
31471b4
Merge branch 'main' into cognito/refresh-token
iridescent99 May 15, 2025
99b71fd
Add tests + readme
iridescent99 May 15, 2025
8c49a97
mc
iridescent99 May 15, 2025
66d17dd
cleanup
iridescent99 May 15, 2025
50e0606
cleanup
iridescent99 May 15, 2025
1709d36
ok
iridescent99 May 15, 2025
a387ed9
fixpj
iridescent99 May 15, 2025
9b46947
readonly
iridescent99 May 15, 2025
bba77e7
Merge branch 'main' into cognito/refresh-token
iridescent99 May 15, 2025
df72d98
test
iridescent99 May 15, 2025
457574e
fix
iridescent99 May 15, 2025
299ce0c
linting
iridescent99 May 16, 2025
c078599
tests
iridescent99 May 16, 2025
d9436d8
fixtest
iridescent99 May 16, 2025
97d5352
unittests
iridescent99 May 16, 2025
14e0723
tests
iridescent99 May 16, 2025
ac0bef5
Merge branch 'main' into cognito/refresh-token
iridescent99 May 16, 2025
1797e9c
align
iridescent99 May 16, 2025
d710bc6
ok
iridescent99 May 16, 2025
948372e
fixes
iridescent99 May 16, 2025
cfdc187
Merge branch 'main' into cognito/refresh-token
iridescent99 May 16, 2025
062bc62
trailingcomma
iridescent99 May 16, 2025
acbad9e
Merge branch 'cognito/refresh-token' of github.com:iridescent99/aws-c…
iridescent99 May 16, 2025
d725562
Merge branch 'main' into cognito/refresh-token
iridescent99 Jun 19, 2025
a66dd6a
feedback
iridescent99 Jun 19, 2025
2be35a8
lint
iridescent99 Jun 20, 2025
1925a66
lint
iridescent99 Jun 20, 2025
0544a67
ok
iridescent99 Jun 20, 2025
bb498b9
identation
iridescent99 Jun 20, 2025
e8c25c3
Merge branch 'main' into cognito/refresh-token
iridescent99 Jun 24, 2025
7221dc8
Remove feature from interface
iridescent99 Jun 24, 2025
acc574c
linter
iridescent99 Jun 24, 2025
91740dc
integ test
iridescent99 Jun 24, 2025
3d209e3
Remove redundant duration constraint check
iridescent99 Jun 24, 2025
60d5e9c
changes
iridescent99 Jun 25, 2025
4c2007c
remove redundant test
iridescent99 Jun 25, 2025
74421e7
do not set undefined
iridescent99 Jun 26, 2025
0adb323
mc
iridescent99 Jul 17, 2025
f2d0e69
Merge branch 'main' into cognito/refresh-token
iridescent99 Jul 30, 2025
4648851
flatten
iridescent99 Jul 30, 2025
9e69d5d
ok
iridescent99 Jul 30, 2025
d8e3479
readme
iridescent99 Jul 30, 2025
be7a6c9
shorten
iridescent99 Jul 30, 2025
ca76127
lint
iridescent99 Jul 30, 2025
83e770a
Merge branch 'main' into cognito/refresh-token
ozelalisen Aug 6, 2025
ad0a2c5
mc
iridescent99 Aug 16, 2025
bd067be
propname
iridescent99 Aug 16, 2025
07162a8
Merge branch 'main' into cognito/refresh-token
ozelalisen Aug 25, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 24 additions & 0 deletions packages/aws-cdk-lib/aws-cognito/lib/user-pool-client.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -234,6 +234,23 @@ export class UserPoolClientIdentityProvider {
}
}

/**
* The configuration of your app client for refresh token rotation.
*/
export interface RefreshTokenRotation {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Re-reading this we actually don't need to have an interface given that there is a single field for the retryGracePeriod we can move this to the UserPoolClientOptions and line up with the https://github.com/aws/aws-cdk/blob/ff95e3cd54b4bfa0c2b1d92350f2f5583774dcf4/docs/DESIGN_GUIDELINES.md#flat (when I first reviewed the PR I was under the impression that we would need multiple properties in this interface but it's not the case)
A suitable variable name would be something like refreshTokenRotationGracePeriod

/**
* The state of refresh token rotation for the current app client.
* @default - undefined (CloudFormation defaults to DISABLED)
*/
readonly feature?: 'ENABLED' | 'DISABLED';

/**
* Grace period for the original refresh token (0-60 seconds).
* @default - undefined (CloudFormation defaults value)
*/
readonly retryGracePeriodSeconds?: number;
}

/**
* Options to create a UserPoolClient
*/
Expand Down Expand Up @@ -321,6 +338,13 @@ export interface UserPoolClientOptions {
*/
readonly accessTokenValidity?: Duration;

/**
* Configuration for refresh token rotation
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-refresh-token.html#using-the-refresh-token-rotation
* @default - undefined (refresh token rotation is disabled)
*/
refreshTokenRotation?: RefreshTokenRotation;

/**
* The set of attributes this client will be able to read.
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-attribute-permissions-and-scopes
Expand Down
Loading