Signed in users no longer able to refresh session after upgrade

[Jeffrey-Chau-Leo]

Before opening, please confirm:

• I have searched for duplicate or closed issues and discussions.

Language and Async Model

Kotlin - Coroutines

Amplify Categories

Authentication

Gradle script dependencies

com.amplifyframework:core-kotlin:2.29.0
com.amplifyframework:aws-auth-cognito:2.29.0

Environment information

------------------------------------------------------------
Gradle 8.13
------------------------------------------------------------

Build time:    2025-02-25 09:22:14 UTC
Revision:      073314332697ba45c16c0a0ce1891fa6794179ff

Kotlin:        2.0.21
Groovy:        3.0.22
Ant:           Apache Ant(TM) version 1.10.15 compiled on August 25 2024
Launcher JVM:  22.0.1 (Oracle Corporation 22.0.1+8-16)
Daemon JVM:    /Library/Java/JavaVirtualMachines/jdk-22.jdk/Contents/Home (no JDK specified, using current Java home)
OS:            Mac OS X 15.5 aarch64

Please include any relevant guides or documentation you're referencing

No response

Describe the bug

We are have recently upgraded from version 2.14.10 to 2.29.1.

Post upgrade, we are seeing an escalation of two UnknownExceptions thrown for our users when calling fetchAuthSession(), namely:

• ConfigurationException: Identity Pool not configured
• Exception: Credentials empty, cannot refresh

For additional context, we do not have have any identity pools set up hence no CredentialsProvider in our config file.

We would like to know why these could be thrown and what the resolution is for the user to recover from such states

We cannot simply sign out users who get any AuthException when fetchAuthSession() throws as it can also be due network connectivity errors.

Reproduction steps (if applicable)

No response

Code Snippet

Log output

Configuration File

{
  "auth": {
    "plugins": {
      "awsCognitoAuthPlugin": {
        "IdentityManager": {
          "Default": {}
        },
        "CognitoUserPool": {
          "Default": {
            "PoolId": omitted,
            "AppClientId": omitted,
            "Region": omitted
          }
        },
        "Auth": {
          "Default": {
            "authenticationFlowType": "USER_SRP_AUTH",
            "OAuth": {
              "WebDomain": omitted,
              "AppClientId": omitted,
              "SignInRedirectURI": omitted,
              "SignOutRedirectURI": omitted,
              "Scopes": [
                "email",
                "openid",
                "profile"
              ]
            }
          }
        }
      }
    }
  }
}

GraphQL Schema

Additional information and screenshots

Stacktrace 1

com.amplifyframework.auth.exceptions.ConfigurationException: Identity Pool not configured.
    at com.amplifyframework.auth.cognito.actions.AuthorizationCognitoActions$initializeFetchUnAuthSession$$inlined$invoke$1.execute(Action.kt:72)
    at com.amplifyframework.statemachine.ConcurrentEffectExecutor$execute$1$1.invokeSuspend(ConcurrentEffectExecutor.kt:26)
    at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33)
    at kotlinx.coroutines.DispatchedTask.run(DispatchedTask.kt:100)
    at kotlinx.coroutines.scheduling.CoroutineScheduler.runSafely
    at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.executeTask(CoroutineScheduler.kt:829)
    at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.runWorker(CoroutineScheduler.kt:717)
    at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.run(CoroutineScheduler.kt:704)
com.amplifyframework.auth.exceptions.UnknownException: Fetch auth session failed.
    at com.amplifyframework.auth.cognito.RealAWSCognitoAuthPlugin$_fetchAuthSession$1.invoke(RealAWSCognitoAuthPlugin.kt:1108)
    at com.amplifyframework.auth.cognito.RealAWSCognitoAuthPlugin$_fetchAuthSession$1.invoke(RealAWSCognitoAuthPlugin.kt:1081)
    at com.amplifyframework.statemachine.StateMachine.notifySubscribers(StateMachine.kt:185)
    at com.amplifyframework.statemachine.StateMachine.process(StateMachine.kt:200)
    at com.amplifyframework.statemachine.StateMachine.access$process(StateMachine.kt:55)
    at com.amplifyframework.statemachine.StateMachine$send$1.invokeSuspend(StateMachine.kt:169)
    at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33)
    at kotlinx.coroutines.DispatchedTask.run(DispatchedTask.kt:100)
    at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:524)
    at java.util.concurrent.FutureTask.run(FutureTask.java:317)
    at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:348)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1156)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:651)
    at java.lang.Thread.run(Thread.java:1119)

Stacktrace 2

java.lang.Exception: Credentials empty, cannot refresh.
    at com.amplifyframework.auth.cognito.actions.AuthorizationCognitoActions$initiateRefreshSessionAction$$inlined$invoke$1.execute(Action.kt:86)
    at com.amplifyframework.statemachine.ConcurrentEffectExecutor$execute$1$1.invokeSuspend(ConcurrentEffectExecutor.kt:26)
    at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33)
    at kotlinx.coroutines.DispatchedTask.run(DispatchedTask.kt:100)
    at kotlinx.coroutines.scheduling.CoroutineScheduler.runSafely
    at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.executeTask(CoroutineScheduler.kt:829)
    at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.runWorker(CoroutineScheduler.kt:717)
    at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.run(CoroutineScheduler.kt:704)
com.amplifyframework.auth.exceptions.UnknownException: Fetch auth session failed.
    at com.amplifyframework.auth.cognito.RealAWSCognitoAuthPlugin$_fetchAuthSession$1.invoke(RealAWSCognitoAuthPlugin.kt:1108)
    at com.amplifyframework.auth.cognito.RealAWSCognitoAuthPlugin$_fetchAuthSession$1.invoke(RealAWSCognitoAuthPlugin.kt:1081)
    at com.amplifyframework.statemachine.StateMachine.notifySubscribers(StateMachine.kt:185)
    at com.amplifyframework.statemachine.StateMachine.process(StateMachine.kt:200)
    at com.amplifyframework.statemachine.StateMachine.access$process(StateMachine.kt:55)
    at com.amplifyframework.statemachine.StateMachine$send$1.invokeSuspend(StateMachine.kt:169)
    at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33)
    at kotlinx.coroutines.DispatchedTask.run(DispatchedTask.kt:100)
    at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:487)
    at java.util.concurrent.FutureTask.run(FutureTask.java:264)
    at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:307)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:644)
    at java.lang.Thread.run(Thread.java:1012)

Another log we get before stacktrace 2

keyset not found, will generate a new one

{
    throwable: can't read keyset; the pref value __androidx_security_crypto_encrypted_prefs_value_keyset__ does not exist
}

Cloud Trail logs

   "eventTime": omitted,
      "eventSource": "cognito-idp.amazonaws.com",
      "eventName": "InitiateAuth",
      "awsRegion": omitted,
      "sourceIPAddress": omitted",
      "userAgent": omitted,
      "errorCode": "NotAuthorizedException",
      "errorMessage": "Refresh Token has expired",
      "requestParameters": {
        "authFlow": "REFRESH_TOKEN",
        "authParameters": omitted,
        "clientId": omitted,
        "userContextData": omitted
      },

[tyllark]

Hello @Jeffrey-Chau-Leo, did you enable refresh token rotation in your AWS Console? If so Amplify Android does not support GetTokensFromRefreshToken yet so it will break the REFRESH_TOKEN_AUTH flow used to refresh access tokens.

Refresh token rotation isn't compatible with the authentication flow REFRESH_TOKEN_AUTH. To implement refresh token rotation, you must disable this authentication flow in your app client and design your application to submit token-refresh requests with the GetTokensFromRefreshToken API operation or the equivalent SDK method.

You can find this setting here:
AWS Console -> Amazon Cognito -> User pools -> [YOUR_USER_POOL] -> App clients -> [YOUR_APP_CLIENT] -> edit

[Jeffrey-Chau-Leo]

Hey @tyllark, I just checked, the refresh token rotation checkbox in AWS console is disabled.

We are currently on the Lite plan, so the refresh token rotation option isn't available for us.

[tyllark]

Thank you for confirming @Jeffrey-Chau-Leo. A team member will have a look and get back to you.

[tylerjroach]

@Jeffrey-Chau-Leo Is this something that you can easily replicate? If so, could you add Amplify.addPlugin(AndroidLoggingPlugin(LogLevel.VERBOSE)) as the first configured Amplify plugin and post the results?

[Jeffrey-Chau-Leo]

@tylerjroach Unfortunately, we haven't had any success in replicating this ourselves, we only found out through adding additional logs around fetchAuthSession() call sites. We have our logging plugin currently set on DEBUG, but can change it to VERBOSE in the meantime and see if anything comes up.