Cloudformation-coverage-roadmap: AWS::Cognito::UserPoolClient token expiration customization

• [x] RefreshTokenValidity
• [ ] AccessTokenValidity
• [ ] IdTokenValidity
  > https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-refreshtokenvalidity

Updated description to remove refresh token

@cmckni3 Refresh token validity is still only specifiable by days in CloudFormation when valid inputs are between 1 hour and 10 years. It should be refactored to match Cognito's specifications as you originally mentioned

@tgardiner Are you sure? The CloudFormation docs description looks incorrect to me based on the maximum value.

315360000 days would be 864000 years.

@cmckni3 so it looks like that's the number of seconds in 10 years.. which would imply the value can be specified in seconds, but the docs mention days. I just tried setting it to 1 and I ended up with a Refresh Token Expiration of 1 day. Seems very broken

Interesting. The description in the docs still says days but the max value is correct for 10 years as seconds as stated in the announcement. The minimum value in the docs of 0 should be 3600 seconds.

Refresh tokens can be configured to expire in as little as one hour or as long as ten years.

I do recall recent deployments of mine still using 1 as the value. I believe the unit for refresh token must be set to keep backwards compatibility.

I have learned over the past 2 years to trust but verify the AWS docs.

I agree it’s very confusing like some other Cognito CFN options such as DeviceConfiguration

Have you tried setting the refresh token unit to minutes or seconds?

The plot thickens.. documentation clearly states that TokenValidityUnits is not currently supported by CloudFormation.

Yet I set:

RefreshTokenValidity: 3600
TokenValidityUnits:
  RefreshToken: "seconds"

and ended up with a RefreshTokenValidity of 1 hour. Thanks for the tip @cmckni3!

No problem, glad it worked!

The plot thickens.. documentation clearly states that TokenValidityUnits is not currently supported by CloudFormation.

Yep, incorrect AWS documentation is problematic. Tbh, I didn’t read the description on the CFN token validity units page 😂

This is working for the Refresh Token, but not the Access and Id Token validity. Regardles of wich Value i provide to the AccessTokenValidity or IdTokenValidity, i get the Error Invalid range for token validity.
Same goes for the Properties of TokenValidityUnits, AccessToken and IdToken.
I tried values ranging from 1 up to 3600. Regardless of wich Unit is used, there should have been at least one value valid.

I experienced this issue when my CI deployed on 2 identical environments, one succeeded and one failed.

After further investigation, on the test environment, token validity had been modified manually. Doing so sets the units to minutes and cloudformation fails with Invalid range for token validity.

It doesn't matter if the validity periods have been reset to their default, once you touch them from the UI, their units are minutes and cloudformation will most likely fail unpredictably:

❯ aws cognito-idp describe-user-pool-client --user-pool-id xxx --client-id yyy

{
    "UserPoolClient": {
...
        "RefreshTokenValidity": 1,
        "AccessTokenValidity": 60,
        "IdTokenValidity": 60,
        "TokenValidityUnits": {
            "AccessToken": "minutes",
            "IdToken": "minutes",
            "RefreshToken": "days"
        },

The only way to reset those units to the days/hours default is using the CLI (or API call):

aws cognito-idp update-user-pool-client --user-pool-id xxx --client-id yyy --token-validity-units AccessToken=hours,IdToken=hours,RefreshToken=days --refresh-token-validity 1 --access-token-validity 1 --id-token-validity 1

It would be really nice to have TokenValidityUnits fully supported for all tokens and not only RefreshToken

@cmckni3 Many thanks for this (and to everyone for the thread). Was frustrated by documentation (or lack thereof).

@jdel I tried the below for access/id and it worked:
they got set to 6 minutes.

      AccessTokenValidity: 360
      IdTokenValidity: 360
      TokenValidityUnits:
        AccessToken: "seconds"
        IdToken: "seconds"

Always nice to find others struggling and it's not just me thinking I'm a complete idiot.

@avi-leeker yeah some AWS docs are outdated/wrong/not helpful. At this point I consider myself QA for AWS 😆

The docs have been update.

Thanks!

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-idtokenvalidity