Preserve refresh token

[medmond]

When refreshing the session, hang onto the old refresh token if the
authentication result doesn’t provide a new one. Without this change,
the refresh token is lost.

[itrestian]

Can you confirm that we can use, modify, copy, and redistribute this PR? Thanks!

[medmond]

Confirmed. You may use, modify, copy, and redistribute this PR.

[borisirota]

@itrestian Hi, is the same refresh token can be used multiple times in order to get new keys ?

I'm asking because I was sure that every REFRESH_TOKEN_AUTH AuthFlow should provide a new refresh token as well, but, it returns only id and access tokens.

Thanks

[itrestian]

Basically a refresh token is valid for 30 days. When you use the refresh token, you get only an access token and an id token, both valid for 1 hour. No refresh token. Once the refresh token expires after 30 days, you will have to authenticate again to get a new refresh token.

[borisirota]

Cool thanks. Just saw your answers here and here.

What do you exactly mean by "When using the refresh token to get a session, another session is not returned" ? what does the id and access tokens represent ?

[itrestian]

The access token is used to make authenticated calls to Cognito User Pools. Basically retrieve attributes, modify etc. The id Token can be used to integrate with Federated Identities. I think I meant that you don't get a new refresh token, you can still use the same one.

[borisirota]

thanks !