When using authenticationFlowType USER_PASSWORD_AUTH - device key saved in preferences under email but retrieved with username, causing refresh token failure

[JEKMiles]

Before opening, please confirm:

• I have searched for duplicate or closed issues and discussions.

Language and Async Model

Kotlin - Coroutines

Amplify Categories

Authentication

Gradle script dependencies

amplify-cognito = "2.30.1"
amplify-cognito = { module = "com.amplifyframework:aws-auth-cognito", version.ref = "amplify-cognito" }
amplify-core-kotlin = { module = "com.amplifyframework:core-kotlin", version.ref = "amplify-cognito" }

Environment information

------------------------------------------------------------
Gradle 8.13
------------------------------------------------------------

Build time:    2025-02-25 09:22:14 UTC
Revision:      073314332697ba45c16c0a0ce1891fa6794179ff

Kotlin:        2.0.21
Groovy:        3.0.22
Ant:           Apache Ant(TM) version 1.10.15 compiled on August 25 2024
Launcher JVM:  17.0.14 (JetBrains s.r.o. 17.0.14+1-b1367.22)
Daemon JVM:    ~/.sdkman/candidates/java/17.0.14-jbr (no JDK specified, using current Java home)
OS:            Mac OS X 15.7 aarch64

Please include any relevant guides or documentation you're referencing

No response

Describe the bug

Using auth flow type USER_PASSWORD_AUTH with device tracking causes refresh tokens to fail.
During sign in, the device metadata is saved with the email address as the username to generate the shared preferences key
generateKey("$username.$KEY_DEVICE_METADATA")
However, on retrieval (after time has passed) it attempts to retrieve this key with a server side UUID as the username
As a result, the DeviceKey is missing from the refresh token request, which returns
{"__type":"NotAuthorizedException","message":"Invalid Refresh Token."}

Reproduction steps (if applicable)

Auth flow type USER_PASSWORD_AUTH
Device tracking enabled
Sign in
Wait some time
Attempt a token refresh

Expected result:
Token refresh will succeed

Actual result:
Token refresh fails with
{"__type":"NotAuthorizedException","message":"Invalid Refresh Token."}

Configuration File

{
  "auth": {
    "plugins": {
      "awsCognitoAuthPlugin": {
        "IdentityManager": {
          "Default": {}
        },
        "CognitoUserPool": {
          "Default": {
            "PoolId": "[redacted]",
            "Region": "eu-west-1",
            "AppClientId": "[redacted]",
            "Endpoint": "[redacted]"
          }
        },
        "Auth": {
          "Default": {
            "authenticationFlowType": "USER_PASSWORD_AUTH",
            "OAuth": {
              "WebDomain": "[redacted]",
              "AppClientId": "[redacted]",
              "SignInRedirectURI": "[redacted]",
              "SignOutRedirectURI": "[redacted]",
              "Scopes": [
                "email",
                "openid",
                "profile",
                "aws.cognito.signin.user.admin"
              ]
            }
          }
        }
      }
    }
  }
}

Additional information and screenshots

A similar issue was noted here aws-amplify/aws-sdk-android#2728 (comment) , though the behaviour has changed slightly, from saving with null key to saving with email address.

This PR fixes the issue for custom auth
#2614
and notes This fix does not fix device tracking for when AuthFlow is USER_PASSWORD_AUTH as InitiateAuth in user_password_auth does not have access to deviceTracking.
However, this set up is working as expected for web and iOS.
If it is unsupported and there's no intention to fix this scenario, can you please state this explicitly, so I can return to the team and state we have to change the configuration, thank you.

[tylerjroach]

Hi @JEKMiles Let me look. The claim about it not being supported looks like it may have been an incorrect statement believing Cognito didn't support it. If other client libraries are supporting it, we whould be able to do so as well. We will research this and get back to you.

[tylerjroach]

https://docs.amplify.aws/react/build-a-backend/auth/concepts/multi-factor-authentication/#remember-a-device
https://docs.amplify.aws/swift/build-a-backend/auth/concepts/multi-factor-authentication/#remember-a-device
https://docs.amplify.aws/flutter/build-a-backend/auth/concepts/multi-factor-authentication/#remember-a-device
https://docs.amplify.aws/android/build-a-backend/auth/concepts/multi-factor-authentication/#remember-a-device

Note: The device tracking and remembering features are not available if any of the following conditions are met:

• the federated OAuth flow with Cognito User Pools or Hosted UI is used, or
• when the signIn API uses the USER_PASSWORD_AUTH as the authFlowType.

All platforms have this statement that device tracking is not supported with USER_PASSWORD_AUTH. What platform is it that you were also using and seeing support?

[JEKMiles]

What platform is it that you were also using and seeing support?

iOS and Web. One of the web team mentioned they weren't sure if it would work, but apparently it did out of the box.

[JEKMiles]

We also tried USER_AUTH with password option on our test server and see the same failure

[tyllark]

Hello @JEKMiles, could you please please provide a reference to where our web team member mentioned it worked out of the box. I've only seen remembering a device as being unsupported for USER_PASSWORD_AUTH.

[JEKMiles]

Hello @JEKMiles, could you please please provide a reference to where our web team member mentioned it worked out of the box. I've only seen remembering a device as being unsupported for USER_PASSWORD_AUTH.

Sorry, I meant our web team said it worked out of the box. It's something we have up and running. Same setup on iOS and Web has no issues with refresh tokens. It's only the Android SDK that is failing.

Regardless of weather it's supported or not, what is causing the failure here is a bug. The SDK is saving a value to shared preferences with one key, then trying to read it with a different key.