Description
Description:
We're experiencing an issue where the AWS Amplify SDK seems to revoke the refresh token prematurely, even though:
No global sign-out is initiated.
The refresh token has not reached its configured expiration.
This results in users being unexpectedly signed out or receiving authentication errors, despite their session and refresh token still being valid by configuration.
Cognito Configuration:
Refresh Token Expiration: 3 months
Session Expiration (Access Token Validity): 24 hours
Observed Behavior:
Users are logged out or are unable to refresh their session after a short period (sometimes just a few days), with errors indicating that the refresh token is invalid or expired.
This occurs without any global sign-out action or manual token invalidation.
Expected Behavior:
The refresh token should remain valid for the full 3-month period as configured, unless explicitly revoked (e.g., via global sign-out or admin action).
SDK Version:
aws-amplify version: "com.amplifyframework:aws-auth-cognito:2.20.0"
Additional Context:
We have verified that:
The refresh token is not expired.
There are no policies or triggers in place that revoke tokens unexpectedly.
Users are not signing in from multiple devices frequently enough to exceed token limits.
This seems to point to an issue within the Amplify SDK’s token management, potentially related to how sessions are persisted or rehydrated.
Suggested Fix / Questions:
Could there be a bug in the session caching/refresh logic in the SDK?
Is there any recommended workaround to prevent premature refresh token invalidation?