Can't find refresh token when Cognito redirects back to my URL

Question

I'm testing with AWS's Cognito. At this point, I can get back my IdToken, AccessToken, and RefreshToken like this:

$ aws cognito-idp admin-initiate-auth --user-pool-id us-east-1_XXXXXXXX --client-id XXXXXXXXXXXXXXXXXXXXXXX --auth-flow ADMIN_NO_SRP_AUTH --auth-parameters USERNAME=XXXXXXXXXXXXX,PASSWORD=XXXXXXXXXXXXX --region us-east-1

Then I tried the default web page (provided by Cognito) at a URL like this:

https://test-cognito.auth.us-east-1.amazoncognito.com/login?response_type=token&client_id=XXXXXXXXXXXXXXXXXXXXXX&redirect_uri=https://example.com

This URL will take me to a page where I have to authenticate and once the process is done it will take me back to my redirect_url with previously mentioned IDs appended:

https://example.com#id_token=XXXXX.XXXXXX.XXXXXX&access_token=XXXXXX.XXXXXXX.XXXXXXX&expires_in=3600&token_type=Bearer

But there's no sign of refresh_token! How can I get my refresh_token in this scenario?

Answer 1

I don't think that is possible at present. AWS clearly states that refresh token is only available if the flow type is Authorization Code Grant.

What you are trying is Implicit Grant. The responseType is set to token in your case. For Authorization Code Grant, set the grant type to code but that will also need you to store the client secret in the app.

Source- https://developer.amazon.com/docs/login-with-amazon/refresh-token.html.

For more info on grant types - https://alexbilbie.com/guide-to-oauth-2-grants/