I have a cognito User Pool with 1 client that is configured with 2 identity providers, Cognito User Pool and a SAML provider that links an Azure AD instance. The Allowed OAuth Flows is set Implicit grant only. Login via the Cognito User Pool provider is done using the InitiateAuthCommand in the @aws-sdk/client-cognito-identity-provider library. From this an id_token, access_token and refresh token are all returned.
Login via the SAML provider is done by using the template link provided in the cognito developer docs (https://your_Amazon_Cognito_userpool_domain/authorize? response_type=code&identity_provider=your-SAML-IdP-name&client_id=your- client-id&redirect_uri=https://your_application_redirect_url). This login works, however only an id_token and access_token are returned (no refresh token).
How can I get cognito to issue a refresh token for users logged in via the SAML provider
Cognito should not return a refresh token for Implicit grant flow. That is the intended behaviour according to the specification:
The authorization server MUST NOT issue a refresh token.
Also using the implicit flow is highly discouraged due to vulnerabilities.
Please consider using Authorization code grant flow along with PKCE. With that you can get the refresh token.
The reason you get the refresh token along with the aws-sdk is, because it should be using a different Auth flow (example: USER_PASSWORD_AUTH) as mentioned in the document.