8

I am building a serverless react app which uses Cognito for sign-in/sign-out. The app calls API Gateway which is configured to use the Cognito User pool as the custom authorizer.

I also build a lambda function to sign out a user (cognitoIdentityServiceProvider.globalSignOut).

When I sign into the app, and then call the lambda function to perform an admin sign-out, calls to protected API gateway functions from the app are still valid (with Cognito ID token passed in Authorization header);

Are admin calls such as cognitoIdentityServiceProvider.globalSignOut and cognitoIdentityServiceProvider.adminUserGlobalSignOut not realtime, or is API Gateway configured to only validate after an hour?

user1322092
  • 4,020
  • 7
  • 35
  • 52

3 Answers3

5

Just found the answer, unfortunately not what I wanted to hear:

Because IdToken is represented as a JSON Web Key Token, it's signed with a secret or private/public key pairs, which means even if you revoke the IdToken, there is no way to revoke the distributed public key. And IdToken has a short life span, it will expire in a short time.

Is it possible to revoke AWS Cognito IdToken?

https://github.com/aws/aws-sdk-js/issues/1687

https://github.com/aws/amazon-cognito-identity-js/issues/21

user1322092
  • 4,020
  • 7
  • 35
  • 52
  • As far as my experience goes, the above seems to hold for access tokens as well. `globalSignOut` claim to revoke `access token` but my API Gateway Cognito pool authorizer was still accepting it after I revoked it using the mentioned APIs – asr9 Nov 14 '18 at 04:32
4

It is the default settings of Cognito user pool. The access token expires one hour after the user authenticates. It should not be processed after it has expired.

You can revoke all user token though using the GlobalSignOut and AdminUserGlobalSignOut APIs. After the user has been signed out:

  • The user's refresh token cannot be used to get new tokens for the user.
  • The user's access token cannot be used against the user pools service.
  • The user must reauthenticate to get new tokens.

An app can use the GlobalSignOut API to allow individual users to sign themselves out from all devices. Typically an app would present this option as a choice, such as Sign out from all devices. The app must call this method with the user's valid, nonexpired, revoked access token. This method cannot be used to allow a user to sign out another user.

An administrator app can use the AdminUserGlobalSignOut API to allow administrators to sign out a user from all devices. The administrator app must call this method with AWS developer credentials and pass the user pool ID and the user's username as parameters. The AdminUserGlobalSignOut API can sign out any user in the user pool.

Please have a look on official documentation:- http://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html

Vijayanath Viswanathan
  • 8,027
  • 3
  • 25
  • 43
  • thanks for responding, but could you confirm that calling `adminUserGlobalSignOut` does or *doesn't* sign out the user immediately, but only after when the refresh token needs to be used, before an hour. In my case, I need to terminate the user session immediately, but that doesn't seem to be case, as `authorization` header with token in call to API Gateway still shows a valid session (i.e., API Gateway doesn't return an error about invalid user token or similar, such as "Access Token has been revoked". Please update your answer accordingly with the known behavior of API Gateway. – user1322092 Oct 02 '17 at 19:19
  • updated my question to be clear about the token. API Gateway custom authorizer which uses a Cognito user pool only requires the Cognito ID token (`axios.defaults.headers.common.Authorization = session.idToken.jwtToken;`). – user1322092 Oct 02 '17 at 20:16
3

I am on the Cognito team. globalSignOut revokes the access token and the refresh token. The id token is a bearer token, that is used with systems external to User Pools. API Gateway will still accept it, but it's validity is of 1 hour.

Ionut Trestian
  • 5,473
  • 2
  • 20
  • 29
  • Thanks, Ionut!. My serverless web app uses a Cognito user pool authorizer in API Gateway to enforce API security. API Gateway validates only the ID Token (not Access nor Refresh). If a lambda cron function calls adminUserGlobalSignOut 20 min. after login, then technically API Gateway will accept the token beyond the twenty minutes, up to an hour. I would submit that's a gap in the design, do you think? Ultimately, I'm trying to mimic a server-based framework where sessions often expire 15-30min. Cognito seems fixated on mobile app experiences where 1 hour or greater is more appropriate. – user1322092 Oct 03 '17 at 02:19
  • 1
    Maybe because I am a year late in this conversation so things might have changed. But I am using `access tokens` with API Gateway. Revoking tokens by calling `globalSignOut` seems to have no affect on the `access tokens` being used with API Gateway + Cognito user pools. – asr9 Nov 14 '18 at 04:28