Cognito user pool (with device tracking ON): Session refresh fails with error - "Invalid Refresh Token"

[triton3]

Issue

Using refresh token with Cognito user pool in an attempt to fetch new ID and access token fails, despite sending device key in the request. The user pool has device tracking enabled. The refresh token is still valid for another 30 days in this particular instance (it works when I switch OFF device tracking on the user pool).

What was attempted

I am trying to retrieve new ID and access tokens using cognito refresh token, through the InitiateAuth API. The user pool on cognito has device tracking enabled. Based on this SO answer and this AWS forums discussion, I added the DEVICE_KEY parameter for REFRESH_TOKEN_AUTH auth flow. As per the documentation, I dont see any other required AuthParameters in the request.

The initiate auth payload being sent out is as follows (refresh token is truncated, device key and client id are masked):

Initiating refresh request:
{
   "AuthFlow" : "REFRESH_TOKEN_AUTH",
   "AuthParameters" : {
      "DEVICE_KEY" : "us-east-1_11111111-1111-111a-1111-11a1111bc0",
      "REFRESH_TOKEN" : "eyJjdHkiOiJKV1QiLC..."
   },
   "ClientId" : "123abcdefghi123"
}

Result

NotAuthorizedException - Invalid Refresh Token

What else was attempted

When I disabled device tracking on the cognito user pool, the refresh token works fine and is able to retrieve new access/ID tokens.

What platform/OS are you using?

macOS High Sierra Version 10.13.4

What compiler are you using? what version?

Apple LLVM 9.0
Aws cpp sdk Version: 1.4.31

What's your CMake arguments?

/Applications/CMake.app/Contents/bin/cmake -Wno-dev \
	-DCMAKE_BUILD_TYPE=Release \
    -DCUSTOM_MEMORY_MANAGEMENT=0 \
    -DSTATIC_LINKING=1 \
    -DBUILD_ONLY="lambda;identity-management;dynamodb;cognito-identity;cognito-idp;cognito-sync;email;sns" \
    $WORKSPACE/aws-sdk-cpp

Can you provide a TRACE level log? (sanitize any sensitive information)

[INFO] 2018-04-24 15:30:25 Aws_Init_Cleanup [0x100bc1380] Initiate AWS SDK for C++ with Version:1.4.31
[INFO] 2018-04-24 15:30:25 CurlHttpClient [0x100bc1380] Initializing Curl library
[TRACE] 2018-04-24 15:30:25 FileSystemUtils [0x100bc1380] Checking HOME for the home directory.
[DEBUG] 2018-04-24 15:30:25 FileSystemUtils [0x100bc1380] Environment value for variable HOME is /Users/currUser
[DEBUG] 2018-04-24 15:30:25 FileSystemUtils [0x100bc1380] Home directory is missing the final / appending one to normalize
[DEBUG] 2018-04-24 15:30:25 FileSystemUtils [0x100bc1380] Final Home Directory is /Users/currUser/
[INFO] 2018-04-24 15:30:25 Aws::Config::AWSConfigFileProfileConfigLoader [0x100bc1380] Initializing config loader against fileName /Users/currUser//.aws/config and using profilePrefix = 1
[TRACE] 2018-04-24 15:30:25 FileSystemUtils [0x100bc1380] Checking HOME for the home directory.
[DEBUG] 2018-04-24 15:30:25 FileSystemUtils [0x100bc1380] Environment value for variable HOME is /Users/currUser
[DEBUG] 2018-04-24 15:30:25 FileSystemUtils [0x100bc1380] Home directory is missing the final / appending one to normalize
[DEBUG] 2018-04-24 15:30:25 FileSystemUtils [0x100bc1380] Final Home Directory is /Users/currUser/
[INFO] 2018-04-24 15:30:25 Aws::Config::AWSConfigFileProfileConfigLoader [0x100bc1380] Initializing config loader against fileName /Users/currUser//.aws/credentials and using profilePrefix = 0
[TRACE] 2018-04-24 15:30:25 FileSystemUtils [0x100bc1380] Checking HOME for the home directory.
[DEBUG] 2018-04-24 15:30:25 FileSystemUtils [0x100bc1380] Environment value for variable HOME is /Users/currUser
[DEBUG] 2018-04-24 15:30:25 FileSystemUtils [0x100bc1380] Home directory is missing the final / appending one to normalize
[DEBUG] 2018-04-24 15:30:25 FileSystemUtils [0x100bc1380] Final Home Directory is /Users/currUser/
[TRACE] 2018-04-24 15:30:25 FileSystemUtils [0x100bc1380] Checking HOME for the home directory.
[DEBUG] 2018-04-24 15:30:25 FileSystemUtils [0x100bc1380] Environment value for variable HOME is /Users/currUser
[DEBUG] 2018-04-24 15:30:25 FileSystemUtils [0x100bc1380] Home directory is missing the final / appending one to normalize
[DEBUG] 2018-04-24 15:30:25 FileSystemUtils [0x100bc1380] Final Home Directory is /Users/currUser/
[INFO] 2018-04-24 15:30:25 ProfileConfigFileAWSCredentialsProvider [0x100bc1380] Setting provider to read credentials from /Users/currUser//.aws/credentials for credentials file and /Users/currUser//.aws/config for the config file , for use with profile default
[INFO] 2018-04-24 15:30:25 EC2MetadataClient [0x100bc1380] Creating HttpClient with max connections2 and scheme http
[INFO] 2018-04-24 15:30:25 CurlHandleContainer [0x100bc1380] Initializing CurlHandleContainer with size 2
[INFO] 2018-04-24 15:30:25 InstanceProfileCredentialsProvider [0x100bc1380] Creating Instance with default EC2MetadataClient and refresh rate 900000
[DEBUG] 2018-04-24 15:30:25 Aws::Config::ConfigFileProfileFSM [0x100bc1380] found profile default
[DEBUG] 2018-04-24 15:30:25 Aws::Config::ConfigFileProfileFSM [0x100bc1380] found access key 
[INFO] 2018-04-24 15:30:25 Aws::Config::AWSProfileConfigLoader [0x100bc1380] Successfully reloaded configuration.
[TRACE] 2018-04-24 15:30:25 Aws::Config::AWSProfileConfigLoader [0x100bc1380] reloaded config at 2018-04-24T10:00:25Z
[DEBUG] 2018-04-24 15:30:25 InstanceProfileCredentialsProvider [0x100bc1380] Checking if latest credential pull has expired.
[INFO] 2018-04-24 15:30:25 InstanceProfileCredentialsProvider [0x100bc1380] Credentials have expired attempting to repull from EC2 Metadata Service.
[TRACE] 2018-04-24 15:30:25 EC2MetadataClient [0x100bc1380] Getting default credentials for ec2 instance
[TRACE] 2018-04-24 15:30:25 EC2MetadataClient [0x100bc1380] Calling Ec2MetadataService at http://169.254.169.254/latest/meta-data/iam/security-credentials
[TRACE] 2018-04-24 15:30:25 CurlHttpClient [0x100bc1380] Making request to http://169.254.169.254/latest/meta-data/iam/security-credentials
[TRACE] 2018-04-24 15:30:25 CurlHttpClient [0x100bc1380] Including headers:
[TRACE] 2018-04-24 15:30:25 CurlHttpClient [0x100bc1380] host: 169.254.169.254
[DEBUG] 2018-04-24 15:30:25 CurlHandleContainer [0x100bc1380] Attempting to acquire curl connection.
[DEBUG] 2018-04-24 15:30:25 CurlHandleContainer [0x100bc1380] No current connections available in pool. Attempting to create new connections.
[DEBUG] 2018-04-24 15:30:25 CurlHandleContainer [0x100bc1380] attempting to grow pool size by 2
[INFO] 2018-04-24 15:30:25 CurlHandleContainer [0x100bc1380] Pool grown by 2
[INFO] 2018-04-24 15:30:25 CurlHandleContainer [0x100bc1380] Connection has been released. Continuing.
[DEBUG] 2018-04-24 15:30:25 CurlHandleContainer [0x100bc1380] Returning connection handle 0x10400b000
[DEBUG] 2018-04-24 15:30:25 CurlHttpClient [0x100bc1380] Obtained connection handle 0x10400b000
[ERROR] 2018-04-24 15:30:25 CurlHttpClient [0x100bc1380] Curl returned error code 7
[DEBUG] 2018-04-24 15:30:25 CurlHandleContainer [0x100bc1380] Releasing curl handle 0x10400b000
[DEBUG] 2018-04-24 15:30:25 CurlHandleContainer [0x100bc1380] Notified waiting threads.
[ERROR] 2018-04-24 15:30:25 EC2MetadataClient [0x100bc1380] Http request to Ec2MetadataService failed.
[INFO] 2018-04-24 15:30:25 Aws::Config::AWSProfileConfigLoader [0x100bc1380] Failed to reload configuration.
[INFO] 2018-04-24 15:30:25 CurlHandleContainer [0x100bc1380] Initializing CurlHandleContainer with size 25
[TRACE] 2018-04-24 15:30:25 AWSClient [0x100bc1380] Found body, but content-length has not been set, attempting to compute content-length
[DEBUG] 2018-04-24 15:30:25 InstanceProfileCredentialsProvider [0x100bc1380] Checking if latest credential pull has expired.
[DEBUG] 2018-04-24 15:30:25 AWSClient [0x100bc1380] Request Successfully signed
[TRACE] 2018-04-24 15:30:25 CurlHttpClient [0x100bc1380] Making request to https://cognito-idp.us-east-1.amazonaws.com/
[TRACE] 2018-04-24 15:30:25 CurlHttpClient [0x100bc1380] Including headers:
[TRACE] 2018-04-24 15:30:25 CurlHttpClient [0x100bc1380] content-length: 2111
[TRACE] 2018-04-24 15:30:25 CurlHttpClient [0x100bc1380] content-type: application/x-amz-json-1.1
[TRACE] 2018-04-24 15:30:25 CurlHttpClient [0x100bc1380] host: cognito-idp.us-east-1.amazonaws.com
[TRACE] 2018-04-24 15:30:25 CurlHttpClient [0x100bc1380] user-agent: aws-sdk-cpp/1.4.31 Darwin/17.5.0 x86_64
[TRACE] 2018-04-24 15:30:25 CurlHttpClient [0x100bc1380] x-amz-target: AWSCognitoIdentityProviderService.InitiateAuth
[DEBUG] 2018-04-24 15:30:25 CurlHandleContainer [0x100bc1380] Attempting to acquire curl connection.
[DEBUG] 2018-04-24 15:30:25 CurlHandleContainer [0x100bc1380] No current connections available in pool. Attempting to create new connections.
[DEBUG] 2018-04-24 15:30:25 CurlHandleContainer [0x100bc1380] attempting to grow pool size by 2
[INFO] 2018-04-24 15:30:25 CurlHandleContainer [0x100bc1380] Pool grown by 2
[INFO] 2018-04-24 15:30:25 CurlHandleContainer [0x100bc1380] Connection has been released. Continuing.
[DEBUG] 2018-04-24 15:30:25 CurlHandleContainer [0x100bc1380] Returning connection handle 0x10200de00
[DEBUG] 2018-04-24 15:30:25 CurlHttpClient [0x100bc1380] Obtained connection handle 0x10200de00
[TRACE] 2018-04-24 15:30:27 CurlHttpClient [0x100bc1380] HTTP/1.1 100 Continue

[TRACE] 2018-04-24 15:30:27 CurlHttpClient [0x100bc1380] 

[TRACE] 2018-04-24 15:30:27 CurlHttpClient [0x100bc1380] HTTP/1.1 400 Bad Request

[TRACE] 2018-04-24 15:30:27 CurlHttpClient [0x100bc1380] Date: Tue, 24 Apr 2018 10:00:27 GMT

[TRACE] 2018-04-24 15:30:27 CurlHttpClient [0x100bc1380] Content-Type: application/x-amz-json-1.1

[TRACE] 2018-04-24 15:30:27 CurlHttpClient [0x100bc1380] Content-Length: 70

[TRACE] 2018-04-24 15:30:27 CurlHttpClient [0x100bc1380] Connection: keep-alive

[TRACE] 2018-04-24 15:30:27 CurlHttpClient [0x100bc1380] x-amzn-RequestId: 50222b82-47a6-11e8-8710-e70d9542f9ee

[TRACE] 2018-04-24 15:30:27 CurlHttpClient [0x100bc1380] x-amzn-ErrorType: NotAuthorizedException:

[TRACE] 2018-04-24 15:30:27 CurlHttpClient [0x100bc1380] x-amzn-ErrorMessage: Invalid Refresh Token.

[TRACE] 2018-04-24 15:30:27 CurlHttpClient [0x100bc1380] 

[TRACE] 2018-04-24 15:30:27 CurlHttpClient [0x100bc1380] 70 bytes written to response.
[DEBUG] 2018-04-24 15:30:27 CurlHttpClient [0x100bc1380] Returned http response code 400
[DEBUG] 2018-04-24 15:30:27 CurlHttpClient [0x100bc1380] Returned content type application/x-amz-json-1.1
[TRACE] 2018-04-24 15:30:27 CurlHttpClient [0x100bc1380] Response content-length header: 70
[TRACE] 2018-04-24 15:30:27 CurlHttpClient [0x100bc1380] Response body length: 70
[DEBUG] 2018-04-24 15:30:27 CurlHttpClient [0x100bc1380] Releasing curl handle 0x10200de00
[DEBUG] 2018-04-24 15:30:27 CurlHandleContainer [0x100bc1380] Releasing curl handle 0x10200de00
[DEBUG] 2018-04-24 15:30:27 CurlHandleContainer [0x100bc1380] Notified waiting threads.
[DEBUG] 2018-04-24 15:30:27 AWSClient [0x100bc1380] Request returned error. Attempting to generate appropriate error codes from response
[TRACE] 2018-04-24 15:30:27 AWSErrorMarshaller [0x100bc1380] Error response is {
   "__type" : "NotAuthorizedException",
   "message" : "Invalid Refresh Token."
}

[WARN] 2018-04-24 15:30:27 AWSErrorMarshaller [0x100bc1380] Encountered AWSError 'NotAuthorizedException': Invalid Refresh Token.
[WARN] 2018-04-24 15:30:27 AWSClient [0x100bc1380] If the signature check failed. This could be because of a time skew. Attempting to adjust the signer.
[DEBUG] 2018-04-24 15:30:27 AWSClient [0x100bc1380] Server time is Tue, 24 Apr 2018 10:00:27 GMT, while client time is Tue, 24 Apr 2018 10:00:27 GMT

[codyseibert]

We are seeing this same issue, and we are able to reproduce it via POSTman by hitting the AWS api with POST@https://cognito-idp.us-east-1.amazonaws.com/

[KaibaLopez]

Hi @triton3 ,
Soryr for the lack of response here, it definitely flew under our radar, I am unable to reproduce this error on my side so I'm wondering is this still an issue?

[github-actions]

Greetings! It looks like this issue hasn’t been active in longer than a week. We encourage you to check if this is still an issue in the latest release. Because it has been longer than a week since the last update on this, and in the absence of more information, we will be closing this issue soon. If you find that this is still a problem, please feel free to provide a comment or add an upvote to prevent automatic closure, or if the issue is already closed, please feel free to open a new one.

[Rimsha-Naaz]

Yes the issue still persists @KaibaLopez

[EnkhAmar]

I have this issue now. When I turn off the device tracking, It is working fine.

My request

{
    "AuthParameters": {
        "DEVICE_KEY": "{{deviceKey}}",
        "REFRESH_TOKEN": "{{refreshToken}}"
    },
    "AuthFlow": "REFRESH_TOKEN_AUTH",
    "ClientId": "{{clientId}}"
}

Coming response

{
    "__type": "NotAuthorizedException",
    "message": "Invalid Refresh Token."
}

[parthyadav01]

According to
https://repost.aws/knowledge-center/cognito-invalid-refresh-token-error
Refresh token obtained using user_password_auth flow or admin_user_password_auth flows (for the first login) cannot be used to obtain access and Id tokens. First intiate auth must be called using SRP_AUTH , only then the refresh token be used.