3

AWS Cognito has API methods GlobalSignout and AdminUserGlobalSignout that can be used to revoke the access and refresh tokens issued for a user in a user pool (but not the ID token). However, the access token issued using the client credentials flow has no associated user. GlobalSignout fails with an error and AdminUserGlobalSignout requires a username, of which there is none in this context.

The token is short-lived, but in a situation where access tokens have been compromised, revoking the token in a way similar to that described in RFC 7009 would be great peace of mind.

I haven't found anything indicating it is possible to explicitly revoke the token before it expires. Is there any facility to do this?

Community
  • 1
  • 1
Zach
  • 805
  • 1
  • 9
  • 16

1 Answers1

3

Maybe one day Cognito will have this and other essential features but it is not for today. The best advice is to validate tokens in your authorization code.

When you are ready to revoke a user's tokens, make a call to CognitoIdentityServiceProvider.globalSignOut().

Then, wherever you are doing the token validation, add an extra check with a call to CognitoIdentityServiceProvider.getUser(). If the call succeeds, the tokens haven't been revoked. If it fails, they are not authorized.

By the way, the 'sub' field in the Access Token is a unique ID that can be matched back to the ID Token. While the username can change for a Cognito User, this value should remain constant.

daktaklakpak
  • 349
  • 3
  • 10
  • The question is not about revoking a user's tokens, but about revoking oauth2 access tokens returned by the client credentials authorization flow for an app client. – Zach Sep 14 '19 at 23:10