0

I am curious if I can reset user sessions that is generated from mobile-end or front-end in a server.

My friend is working on iOS development, but he is having difficult time to make reset session function in his end. As a workaround, what I am thinking is (event if it is very dangerous and insecure approach...) he will send a refresh token and generate new tokens. New tokens will be fed back to the mobile.

However, this doesn't work. The error I am facing is "Invalid Refresh Token". What I am guessing is since it is generated from mobile end, the tokens cannot be generated in other sources, in this case the server.

Is this approach blocked by AWS side? Thanks.

supergentle
  • 1,001
  • 1
  • 14
  • 33

1 Answers1

0

If you are using Amazon Cognito, the globalSignOut and adminUserGlobalSignOut to invalidate issued access and refresh tokens for a user.

Ionut Trestian
  • 5,473
  • 2
  • 20
  • 29
  • I don't think you answer is relevant to my question. Can you elaborate your answer? – supergentle Jul 28 '17 at 15:29
  • sure. Can you clarify the question a little mainly about the app design and what APIs you are calling. I am on the Amazon Cognito team and I was mostly interested in how customers are using our service and trying to give suggestions on APIs to call. – Ionut Trestian Jul 28 '17 at 18:06
  • By the way, I got an answer for my question. The token generated from ios mobile could not be refreshed in node.js backend API. The main reason is that cognito's javascript module doesn't have client secret, while ios sdk use client secret when generating tokens during the registration process. – supergentle Aug 04 '17 at 17:21
  • What javascript module are you using? If you have a way to secure the client secret in your backend, you can refresh the token by calling initiateAuth and passing the CLIENT_SECRET in the auth parameters. https://github.com/aws/aws-sdk-js/blob/master/apis/cognito-idp-2016-04-18.min.json#L1283 – Ionut Trestian Aug 04 '17 at 20:43
  • When creating a new app client for javascript sdk, it is REQUIRED to turn off client secret. Checkout the official documentation http://docs.aws.amazon.com/cognito/latest/developerguide/tutorial-integrating-user-pools-javascript.html – supergentle Aug 04 '17 at 21:56
  • Yes, that is for browser based apps because there would be no way to secure the client secret in the browser. For server side apps, if you have a way to secure the client secret that can be passed by calling the low level APIs. – Ionut Trestian Aug 04 '17 at 22:19
  • Got you. That make sense. By the way, let me ask you a question since you said you are currently working with cognito team. I have a guy who's dealing with cognito ios swift module. However, he is having a difficult time to utilize cognito in his mobile, while he was okay with android sdk module. And he says that swift sdk documentation is terrible and some of the sample codes are not working. I also made another quetions on this article https://stackoverflow.com/questions/45513785/cognito-swift-login-method-example I am wondering if you can also address this question. Thanks! – supergentle Aug 04 '17 at 22:27