Hello, we are using Cognito Federated Identities for Facebook and Google auth and Cognito Userpools for username/password flows. Our back-end is a serverless API with API Gateway. To protect it we wanted to use aws_iam authorizer but we reached a problem. To refresh aws keys with Cognito Federated Identities we have to supply the original Facebook/Google/Cognito tokens which also expire in a short period of time. How would a user coming from Facebook for example refresh his/hers AWS keys given from Cognito federated identities? In the end we decided to issue our own JWT tokens with refresh tokens via DynamoDB + custom lambda authorizers which validate those tokens, so all users go trough the same refresh flow apposed to using each identity provider refresh mechanism in the front end.

Take a look at this documentation: docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html

Good catch :)

Glad to hear it :)

Mohammad Selim Miah at the end of video