Deleting cognito user & identity has no affect on user access

Question

I am trying to use AWS Cognito user pools with Cognito federation as auth for my APIs on api-gateway. I got the authentication & authorization part (using roles) to work, but now stuck on how to revoke access. After login & getting the federated identity, I deleted the identity from identity browser (console) & deleted the user from cognito user pool. But that does not invalidate access using the earlier generated tokens, till they expire (which is a minimum of 1 hour).

I also tried setting ServerSideTokenCheck to true, but that doesn't work either. The only way to "revoke" access seems to be this. But this does not work for us as our use case assigns roles to a group. I cannot have groups of users lose access to revoke/deny access to one user.

Is there anything I have missed to get this done? I cannot fathom an auth service which does not give me easy way to revoke access to user.

score 3 · Accepted Answer · answered Jul 13 '18 at 02:14

This is a common case with stateless JWT tokens issued with Cognito for authentication.

Once a user got hold of a token which valid for 1 hour, the token itself acts as the proof for authentication. The token is signed and issued by AWS and for validation it only requires to do a signature verification using a publickey.

The approach you can handle this is at the authorization layer in your application where you can check either the user is active/deactive in your database after the user successfully authenticates. You can further delete the user from Cognito where he is not able to login back again.

That is what we were considering. Thanks for confirming our thoughts. — asr9, Jul 13 '18 at 13:41

score 2 · Answer 2 · answered Jul 13 '18 at 08:35

2

I see what you are saying and as the other answer explained when the token is issued, the user can use the token until its expiry date. A solution to your problem can be handled two ways:

Cognito way: For this, you make two calls to Cognito, first if the user is enabled, second if so, authenticate its token.

DB way: You have a DB, which act as a "black list" holder, so when you want to disbale the user, the app, adds the username of the user to the DB. Therefore, when the user wants to authenticate, you first check with the DB (if the user is enabled), then check its cookie for authentication/authorization.

Note: If your user base is small, you could go the Cognito way, however there is a limit to Cognito calls, if you have a large user base; you should consider the second approach.

answered Jul 13 '18 at 08:35

o-0

1,713
14
29

I did not know about the limit to Cognito. Thanks for the useful info. – asr9 Jul 13 '18 at 13:42
@ASR no worries. Glad I could help. – o-0 Jul 14 '18 at 09:56
I found quota document here: https://docs.aws.amazon.com/cognito/latest/developerguide/limits.html#operation-quotas:~:text=UserRead-,AdminGetUser,-GetUser – NiravAdatiya Nov 28 '22 at 10:38

Deleting cognito user & identity has no affect on user access

2 Answers2