11

I am using the web UI forms provided by Cognito for user sign in to our site with an OAuth flow.

We have a use case where the user should be signed out of all logged in session across browsers.

Looking at the docs, it seems like AdminUserGlobalSignOut does exactly what we're after. However, after calling it the 'cognito' browser cookie saved for foo.auth.us-east-1.amazoncognito.com remains valid. The next time a user loads https://foo.auth.us-east-1.amazoncognito.com/oauth2/authorize they are forwarded to the callback url as if they're authenticated instead of being redirected to foo.auth.us-east-1.amazoncognito.com/login.

I assume this is because the cookie is not invalidated by calling AdminUserGlobalSignOut, however this seems like the exact purpose of this method.

Is this a bug or am I missing something required to log a user out globally?

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
plemarquand
  • 1,866
  • 2
  • 16
  • 20
  • It looks like the idToken remains valid for a short time. [https://stackoverflow.com/questions/45545176/is-it-possible-to-revoke-aws-cognito-idtoken](https://stackoverflow.com/questions/45545176/is-it-possible-to-revoke-aws-cognito-idtoken) – Ben Hulan Oct 26 '18 at 16:40

1 Answers1

2

I know it's kind of too late to answer, but I think this is due to the fact that Token and Cookie are independent of each other.

I think this is expected behavior because the AdminUserGlobalSignOut API is just a feature to revoke Refresh Token, not a feature to invalidate cookies issued by Cognito.

Also, as far as I know, there is no API to disable cookies issued by Cognito. I guess you have to use each Logout Endpoints.

Configuring a User Pool App Client - Amazon Cognito
https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-client-apps.html

Important

If you use Hosted UI and setup tokens less than an hour, the end user will be able to get new tokens based on their session cookie which is currently fixed at one hour.

AdminUserGlobalSignOut - Amazon Cognito Identity Provider
https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUserGlobalSignOut.html

Signs out users from all devices, as an administrator. It also invalidates all refresh tokens issued to a user. The user's current access and Id tokens remain valid until their expiry. Access and Id tokens expire one hour after they are issued.

LOGOUT Endpoint - Amazon Cognito https://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.html

noid11
  • 39
  • 2