AWS cognito documentation change
Summary
Clarified default refresh token durations for console vs programmatic app client creation
Security assessment
Adds documentation about security-relevant token expiration defaults but does not address a specific security issue.
Diff
diff --git a/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-refresh-token.md b/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-refresh-token.md index 285d979cf..609f4e00d 100644 --- a/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-refresh-token.md +++ b/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-refresh-token.md @@ -9 +9 @@ Refreshing tokensRevoking refresh tokens -You can use the refresh token to retrieve new ID and access tokens. By default, the refresh token expires 30 days after your application user signs into your user pool. When you create an application for your user pool, you can set the application's refresh token expiration to any value between 60 minutes and 10 years. +You can use the refresh token to retrieve new ID and access tokens. App clients default to a five-day refresh token duration when you create them in the Amazon Cognito console, and 30 days when you create them programmatically with the [CreateUserPoolClient](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPoolClient.html) API operation. When you create an application for your user pool, you can set the application's refresh token expiration to any value between 60 minutes and 10 years.