Cognito User Pool OAuth2 Flow Limitations

Cognito user pools have the following limitations.

  • Token expiration
    • Access tokens and ID tokens will have maximum expiration of 1 day, default 1 hour
    • Refresh token defaults to expire 30 days after issue, but can be set to last 10 years
    • There is no way to revoke access tokens or ID tokens, they are valid until they expire
    • You can revoke refresh tokens using globalSignOut operation
  • Implicit flow
    • Does not return a refresh token, per standard