AWS cognito "remember me" option

Question

I have a react native and a react native web frontend application with an AWS backend. For authentication I use AWS Cognito. Some of my users use a public computer, so for those users the authentication tokens should expire within an hour (if they set the "remember me" option to false during login).

the problem

• I cannot change the refresh token expiration to 60 minutes in AWS, because then all of my users are affected (https://stackoverflow.com/a/63533330/9611924).

• There is documentation on AWS cognito about "Tracking and Remembering Devices Using Amazon Cognito", however this is only relevant for 2FA.

• Another option would be to monitor (in the frontend) when you created the tokens and logout after 1 hour, but that would mean that a hacker (who has access to the computer) could access the authentication tokens before logout is initiated.

AWS amplify

Although AWS amplify is a high level library that doesn't leave much room for customisation, I could just drop the refresh token?

Is this a valid option? And more importantly, a secure option?

Answer 1

You cannot set the access, ID, or refresh token's lifetime in the request to the /oauth2/token endpoint, like it's seemingly possible with other IdPs:

https://docs.aws.amazon.com/cognito/latest/developerguide/token-endpoint.html

If the refresh token is expired, your app user must re-authenticate by signing in again to your user pool.

Depending on the security profile of your application, you shouldn't specify a low refresh token expiration, as it hurts the user's experience:

https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-refresh-token.html

You cannot manipulate the expiration time of cookies to delete them, either at a specified time or when the browser is closed, as they are configured as HttpOnly and Secure:

You can also add an expiry date (in UTC time). By default, the cookie is deleted when the browser is closed:

Are you sure the tokens are stored as cookies? Normally they're stored in local- or session storage. If so, they can be deleted client-side using JavaScript. This answer shows, that you can configure the Amplify library to store the tokens in session storage, i.e. they will be deleted, when the browser tab is closed:

Auth.configure({ storage: window.sessionStorage })

Finally, you might want to revoke the user's refresh token. This can be accomplished solely using the access token:

https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-refresh-token.html#amazon-cognito-identity-user-pools-revoking-all-tokens-for-user