18

Is it possible to revoke AWS Cognito IdToken got after user authentication with it's username and password?

In my usecase the access to API Gateway endpoints is restricted by Cognito User Pool Authorizer which takes IdToken as an argument in request.headers.Authorizer. I am looking for way to block current user's IdToken.

In AWSJavaScriptSDK is a function globalSignOut({AccessToken}) which revokes the accessToken: http://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CognitoIdentityServiceProvider.html#globalSignOut-property

Is it possible to revoke the IdToken the same or similar way?

For interested: I've created an issue on aws-sdk-js: https://github.com/aws/aws-sdk-js/issues/1687

kmnowak
  • 804
  • 1
  • 8
  • 23

3 Answers3

15

You are correct. The globalSignOut call revokes all tokens except the id token. The id token is a bearer token that is generally used with services outside of user pools. I am on the Cognito team, and we do have an integration roadmap on our calendar to have services that consume id tokens check back to see if those id tokens are valid and not accept invalid ones.

Ionut Trestian
  • 5,473
  • 2
  • 20
  • 29
  • Thank you very much for response. Are there any chances that it will be released in near future? – kmnowak Aug 20 '17 at 21:47
  • 2
    @Ionut since you are on the Cognito team, what effect does revoking the `access token` have? API Gateway does not reject it even after it has been revoked. – asr9 Nov 14 '18 at 04:42
  • Hello, so the access token and id token will expire in a hour. Is it possible to use expired tokens to invoke global signout? – Naman Jain Aug 05 '20 at 08:03
  • @ionut is there a way to check that the token is valid and was not signed out in AWS? – Kukula Mula Jun 27 '21 at 20:00
  • 1
    @Ionut any news on this? I've seen you've added a Revoke token feature for refresh tokens, and when enabled in the pool the ID token contains extra claims like a JTI field – Alberto Megía Sep 20 '21 at 15:20
9

As @AllanFly120 wrote in mentioned topic:

Because IdToken is represented as a JSON Web Key Token, it's signed with a secret or private/public key pairs, which means even if you revoke the IdToken, there is no way to revoke the distributed public key. And IdToken has a short life span, it will expire in a short time.

It resolved my doubts.

kmnowak
  • 804
  • 1
  • 8
  • 23
  • Well. the Short time isn't really short. Based on my tests the expiration time is somewhere around 8 to 10hrs. – Anjan Biswas Nov 25 '18 at 04:21
  • 2
    @Annjawn That's not correct. "ID Token" always expires 60 minutes after it's generated. It's a hard limit in Cognito and it cannot be changed. https://docs.aws.amazon.com/cognito/latest/developerguide/limits.html#limits-hard You can paste your token here to see the expiration time in milliseconds https://jwt.io/ – ᴛʜᴇᴘᴀᴛᴇʟ Jun 11 '19 at 00:10
  • Yes. Sorry that’s my bad. The expiration is 60 minuets. I was using Amplify which does a refresh token regularly. – Anjan Biswas Jun 11 '19 at 00:12
  • 1
    Correct, but it still is very short sighted. There's no way to log out someone. Which means that if you are doing authorization, and base access on the groups that you belong to, and when you're removed from a group, you retain the exact same access because the IdToken hasn't changed. That's a glaring security hole. Then again, Cognito is not particularly secure... – E.T Nov 06 '19 at 00:54
  • 2
    @E.T yes, indeed. As mentioned there is no way to revoke it, so for immediate invocation, another authorization method is required – kmnowak Nov 06 '19 at 13:45
  • UPD: with last updates maybe it's possible now [Amazon Cognito now supports targeted sign out through refresh token revocation](https://aws.amazon.com/ru/about-aws/whats-new/2021/06/amazon-cognito-now-supports-targeted-sign-out-through-refresh-token-revocation/?nc1=h_ls) [here](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-refresh-token.html) is >Revoking the refresh token will revoke all tokens which are issued with the refresh token. – Alex Fomin Aug 04 '21 at 15:31
  • @AlexFomin It isn't as it still won't revoke the ID token which other services like API GW use – Ermiya Eskandary Oct 17 '21 at 13:01
2

It is not. Even if there is a documentation stating that, the minimum expiration time of 60 minutes is unacceptable if you really take the security of your application seriously.

Here is an article describing some AWS Cognito flaws: 3 things you should know before using AWS Cognito as authenticator

Cleriston
  • 750
  • 5
  • 11
  • 1
    Upvoted your answer but in aws console -> User pool -> General settings -> App clients: ID token expiration - Must be between 5 minutes and 1 day. Cannot be greater than refresh token expiration. – SAndriy Apr 28 '21 at 20:27