AWS Security ChangesHomeSearch

AWS cognito medium security documentation change

Service: cognito · 2025-04-16 · Security-related medium

File: cognito/latest/developerguide/federation-endpoints-oauth-grants.md

Summary

Added documentation about PKCE support and refresh token grants

Security assessment

PKCE (Proof Key for Code Exchange) is a security feature that prevents authorization code interception attacks. Explicitly documenting support qualifies as security documentation addition

Diff

diff --git a/cognito/latest/developerguide/federation-endpoints-oauth-grants.md b/cognito/latest/developerguide/federation-endpoints-oauth-grants.md
index 565da542a..fe4e92e03 100644
--- a//cognito/latest/developerguide/federation-endpoints-oauth-grants.md
+++ b//cognito/latest/developerguide/federation-endpoints-oauth-grants.md
@@ -12 +12 @@ The Amazon Cognito user pool OAuth 2.0 authorization server issues tokens in res
-In response to your successful authentication request, the authorization server appends an authorization code in a `code` parameter to your callback URL. You must then exchange the code for ID, access, and refresh tokens with the [Token endpoint](./token-endpoint.html). To request an authorization code grant, set `response_type` to `code` in your request. For an example request, see [Authorization code grant](./authorization-endpoint.html#sample-authorization-code-grant).
+In response to your successful authentication request, the authorization server appends an authorization code in a `code` parameter to your callback URL. You must then exchange the code for ID, access, and refresh tokens with the [Token endpoint](./token-endpoint.html). To request an authorization code grant, set `response_type` to `code` in your request. For an example request, see [Authorization code grant](./authorization-endpoint.html#sample-authorization-code-grant). Amazon Cognito supports [Proof Key for Code Exchange (PKCE)](./using-pkce-in-authorization-code.html) in authorization code grants.
@@ -31,0 +32,5 @@ Client credentials grants add costs to your AWS bill. For more information, see
+**Refresh token**
+    
+
+You can request a refresh token grant directly from the [Token endpoint](./token-endpoint.html). This grant returns new ID and access tokens in exchange for a valid refresh token.
+