AWS AWSCloudFormation documentation change
Summary
Expanded documentation for RefreshTokenRotation property, including grace period configuration for token invalidation.
Security assessment
Documents refresh token rotation, a security best practice to mitigate stolen token risks. Grace period configuration allows controlled token revocation but does not address a specific vulnerability.
Diff
diff --git a/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolclient-refreshtokenrotation.md b/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolclient-refreshtokenrotation.md index 76ddea284..557d9b777 100644 --- a//AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolclient-refreshtokenrotation.md +++ b//AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolclient-refreshtokenrotation.md @@ -7 +7 @@ SyntaxProperties -The `RefreshTokenRotation` property type specifies Property description not available. for an [AWS::Cognito::UserPoolClient](./aws-resource-cognito-userpoolclient.html). +The configuration of your app client for refresh token rotation. When enabled, your app client issues new ID, access, and refresh tokens when users renew their sessions with refresh tokens. When disabled, token refresh issues only ID and access tokens. @@ -34 +34 @@ To declare this entity in your AWS CloudFormation template, use the following sy -Property description not available. +The state of refresh token rotation for the current app client. @@ -47 +47 @@ _Required_ : No -Property description not available. +When you request a token refresh with `GetTokensFromRefreshToken`, the original refresh token that you're rotating out can remain valid for a period of time of up to 60 seconds. This allows for client-side retries. When `RetryGracePeriodSeconds` is `0`, the grace period is disabled and a successful request immediately invalidates the submitted refresh token.