Is it possible to revoke AWS Cognito IdToken?

Question

Is it possible to revoke AWS Cognito IdToken got after user authentication with it's username and password?

In my usecase the access to API Gateway endpoints is restricted by Cognito User Pool Authorizer which takes IdToken as an argument in request.headers.Authorizer. I am looking for way to block current user's IdToken.

In AWSJavaScriptSDK is a function globalSignOut({AccessToken}) which revokes the accessToken: http://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CognitoIdentityServiceProvider.html#globalSignOut-property

Is it possible to revoke the IdToken the same or similar way?

For interested: I've created an issue on aws-sdk-js: https://github.com/aws/aws-sdk-js/issues/1687

Answer 1

You are correct. The globalSignOut call revokes all tokens except the id token. The id token is a bearer token that is generally used with services outside of user pools. I am on the Cognito team, and we do have an integration roadmap on our calendar to have services that consume id tokens check back to see if those id tokens are valid and not accept invalid ones.

Answer 2

As @AllanFly120 wrote in mentioned topic:

Because IdToken is represented as a JSON Web Key Token, it's signed with a secret or private/public key pairs, which means even if you revoke the IdToken, there is no way to revoke the distributed public key. And IdToken has a short life span, it will expire in a short time.

It resolved my doubts.

Answer 3

It is not. Even if there is a documentation stating that, the minimum expiration time of 60 minutes is unacceptable if you really take the security of your application seriously.

Here is an article describing some AWS Cognito flaws: 3 things you should know before using AWS Cognito as authenticator