3

I have set up an API Gateway authenticated using AWS Cognito. Once the user signs in, I use the following script to verify their credentials:

const cognitoidentityserviceprovider = new AWS.CognitoIdentityServiceProvider();
const params = {
    AuthFlow: 'ADMIN_NO_SRP_AUTH',
    ClientId: APP_CLIENT_ID,
    UserPoolId: USER_POOL_ID,
    AuthParameters: {
        'USERNAME': username,
        'PASSWORD': password,
    },
};
return cognitoidentityserviceprovider.adminInitiateAuth(params)
    .promise();

And this will return a JSON like so:

{
    "ChallengeParameters": {},
    "AuthenticationResult": {
        "AccessToken": "....",
        "ExpiresIn": 3600,
        "TokenType": "Bearer",
        "RefreshToken": "....",
        "IdToken": "...."
    }
}

On the client side, I will take note of the IdToken and include it as a header with a name mentioned in the API Gateway's Authorizer.

Now, I'm trying to create a lambda function to sign the user out. So far, I've got this:

const cognitoidentityserviceprovider = new AWS.CognitoIdentityServiceProvider();

const params = {
    UserPoolId: USER_POOL_ID,
    Username: username,
};
return cognitoidentityserviceprovider.adminUserGlobalSignOut(params)
    .promise();

When I send a request to call this code, even though everything works just fine (no error is thrown), but the IdToken is still valid and I can still call authenticated requests with it. My question is, what is the proper way of signing out a user and why this is not working?

Mehran
  • 15,593
  • 27
  • 122
  • 221

1 Answers1

4

You are right. This is the current behavior of Amazon Cognito Tokens. If you do global signout than your accessToken and RefreshToken will be expired.

But your IdToken will be still valid till 1 hour.

If you call the Global SignOut again, Than you will see the message that access token is expired

I hope this helps!

Jayesh Dhandha
  • 1,983
  • 28
  • 50
  • Thanks for the answer. I just called the Global SignOut twice (even more) but it did not help. BTW, the API call does not return anything, just an empty object (both times). – Mehran Nov 22 '18 at 14:14
  • Strange! I tried running global signout command from cli and it is clearly saying that `access token is revoked or expired` Have you checked using SDK or AWS CLI? – Jayesh Dhandha Nov 23 '18 at 05:52
  • As mentioned in the question, I used lambda functions implemented in NodeJs. To be honest, I don't care about AWS CLI at this point. – Mehran Nov 23 '18 at 12:11
  • Than you are supposed to be not invoking global sign out properly. Because at the end your SDK should behave and respond same as actual AWS Cli is behaving. – Jayesh Dhandha Nov 23 '18 at 12:13
  • I'm not rejecting the possibility that I might be doing something wrong. But at the same time, I have provided my exact code here. Please let me know what I'm doing wrong. Thanks. – Mehran Nov 23 '18 at 12:21
  • 3
    @Mehran old post, but maybe it helps others: the issue is that you're not supposed rely on the id token for authentication (since it can not be revoked), you should always check the access token and if that is valid, then retrieve whatever info you need from the id token – Agost Biro Nov 22 '19 at 19:02
  • AWS docs source for the info in the answer: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html#amazon-cognito-identity (bottom of the page) – Agost Biro Nov 22 '19 at 19:05
  • 1
    To phrase it more precisely (can't edit anymore): you should rely on Cognito verifying the validity of the access token since they presumably have a database of revoked tokens. Without that it's not possible to revoke a JWT before its expiry. – Agost Biro Nov 22 '19 at 19:17
  • In case token is expired already and I invoke global signout, aws renewing my token and setting it in local storage. So I have to call the globalSignout again once the call is completed. But I don't know how to do that. Any idea? – Naman Jain Aug 05 '20 at 17:41
  • How aws is able to store tokens in local storage? Local storage should be managed by our application only. AWS has no rights to access our local storage. – Jayesh Dhandha Aug 07 '20 at 08:35