How to modify expiry time of the access and identity tokens for AWS Cognito User Pools

Question

I can\'t find any documentation which explains if and how to modify the expiry time of access and identity tokens for AWS Cognito User Pools.

The documentation speci

Answer 1

I presume the question is how to get get granular control of Cognito session termination. There is a way to do this. But first lets recap how Cognito session management works:

1. Auth tokens expire after an hour.
2. A new auth token may be requested upon the issuance of a refresh token.
3. After 1 to 30 days, Cognito will not issue a refresh token - the number of days is configured per app, in the App Client Settings.

So what can you to to get better control of Cognito session length? The answer is to insert a filter in your http request stack that evaluates the request - if the user must be logged out for whatever reason, issue a 302 redirect to the Cognito logout endpoint (and clear your session cookies too).

This is what we do in Kubernetes with Envoy (using a proxy), and also Spring. It also allows you to wire in logic that immediately revokes access to a user before their 1 hour access token expires.

See https://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.html