anyone know what cognito's refresh token behavior ...
# generalm
Mike Nissenbaum
05/24/2022, 9:02 PManyone know what cognito's refresh token behavior is upon a password change (called from Amplify)? will it invalidate any refresh token that may be floating around?
k
Kevin Grimm
05/24/2022, 11:28 PMI don't know off the top of my head, but am wondering if there if a flag/param that you would be able to pass through the SDK that would allow you to optionally refresh all outstanding tokens
l
Lukasz K
05/25/2022, 12:17 PMYou'd need to call the invalidation method from sdk (if you enabled invalidation in the Pool)
Lukasz K
05/25/2022, 12:20 PMFunnily enough, there are two of those.. RevokeToken and GlobalSignOut.
Revoke straight up revokes the refresh token and all access tokens related.
Sign out revokes refresh token, logs you out from device sessions, but does not invalidate access token.
Guess you're looking for this one:
https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RevokeToken.html
m
Mike Nissenbaum
05/25/2022, 3:06 PMcool. thank you! i think revocation/invalidation belong to the cognito clients and not the user pool