Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

When does API Gateway validate revoked Cognito ID token

Tags:

aws-api-gateway

amazon-cognito

I am building a serverless react app which uses Cognito for sign-in/sign-out. The app calls API Gateway which is configured to use the Cognito User pool as the custom authorizer.

I also build a lambda function to sign out a user (cognitoIdentityServiceProvider.globalSignOut).

When I sign into the app, and then call the lambda function to perform an admin sign-out, calls to protected API gateway functions from the app are still valid (with Cognito ID token passed in Authorization header);

Are admin calls such as cognitoIdentityServiceProvider.globalSignOut and cognitoIdentityServiceProvider.adminUserGlobalSignOut not realtime, or is API Gateway configured to only validate after an hour?

like image 339
user1322092 Avatar asked Oct 02 '17 04:10

user1322092

People also ask

How do I invalidate a Cognito access token?

Revoke a token You can revoke a refresh token using the RevokeToken API operation. You can also use the aws cognito-idp revoke-token CLI command to revoke tokens. Finally, you can revoke tokens using the revocation endpoint. This endpoint is available after you add a domain to your user pool.

How do I refresh my Cognito ID token?

Initiate new refresh tokens (API) Use the API or hosted UI to initiate authentication for refresh tokens. To use the refresh token to get new ID and access tokens with the user pool API, use the AdminInitiateAuth or InitiateAuth API operations. Pass REFRESH_TOKEN_AUTH for the AuthFlow parameter.

How long is Cognito token valid?

By default, Amazon Cognito refresh tokens expire 30 days after a user signs in to a user pool. When you create an app, you can set the app's refresh token expiration to any value between 60 minutes and 10 years.

1 Answers

Just found the answer, unfortunately not what I wanted to hear:

Because IdToken is represented as a JSON Web Key Token, it's signed with a secret or private/public key pairs, which means even if you revoke the IdToken, there is no way to revoke the distributed public key. And IdToken has a short life span, it will expire in a short time.

Is it possible to revoke AWS Cognito IdToken?

https://github.com/aws/aws-sdk-js/issues/1687

https://github.com/aws/amazon-cognito-identity-js/issues/21

like image 55
user1322092 Avatar answered Sep 18 '22 08:09

user1322092
Sign in to Comment

Related questions

AWS API Gateway: How do I make querystring parameters optional in mapping template?
Amazon APi gateway fails to generate transformed request
AWS API Gateway with AWS WAF
AWS Custom Authorizer - Get token from cookie
How to enable swagger UI in AWS
How to Register Node app with Spring Cloud and Netflix's Eureka
How to call API Gateway with Cognito Credentials through retrofit2 on Android?
AWS API Gateway custom authorizer. How to access principalId in lambda
Using SAM application how to define body mapping templates
AWS API Gateway authentication error IncompleteSignatureException using JWT with Auth0
Terraform with API-Gateway, Route53, and SSL Certification interdependency problem
How to get URL endpoint detail as variable in Serverless Framework's `serverless.yml` file?
AWS API Gateway not working with custom domain
AWS API Gateway CORS pre-flight check fails
Is there any way to signal an error in AWS Lambda for Java without throwing an exception?
One Lambda Function OR Multiple Lambda Functions
Is it possible to set up an AWS API Gateway endpoint for a Lambda function, using the AWS API?
How to config the api gateway for the service deployed in private subnet?
How do I reference one model from another model using aws API Gateway
How to Invoke AWS step function using API gateway?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!