0

On calling signOut() method, session tokens like id token and access token are just removed from the localstorage. We are using Auth class from aws-amplify: https://aws-amplify.github.io/amplify-js/api/classes/authclass.html

Auth.signOut()
.then(() => {
})
.catch(err => { logger.debug(err); this.error(err); });

They are still valid for the lifecycle of the token (by default for 1 hour). How can we explicitly invalidate id token and access token so that any intruder can't get hold of these and make API calls. If anyone has idea on this please let me know.

thanks

Ashy Ashcsi
  • 1,529
  • 7
  • 22
  • 54
  • You keep the access keyid in the local storage of the browser is that right? Not the jwt? – Spiff Oct 13 '22 at 15:02
  • yes right. Not the jwt. But id token and access token is used to access resources like aws appSync. Anyone can retrieve both these values and form an auth token. – Ashy Ashcsi Oct 13 '22 at 15:52
  • Can we configure it not to store them in cookies by any chance ? – Ashy Ashcsi Oct 13 '22 at 16:03
  • https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-refresh-token.html#amazon-cognito-identity-user-pools-revoking-all-tokens-for-user – Spiff Oct 13 '22 at 17:20
  • https://stackoverflow.com/questions/53415086/cannot-sign-out-the-user-from-aws-cognito – Spiff Oct 13 '22 at 17:23
  • I am not sure how not to store to local storsge when using amplify. But it seems the token can be invalidated after the user logs out. – Spiff Oct 13 '22 at 17:25
  • so as per the docs if we use globalSignOut() it will invalidate the tokens used. Also how can we use Amplify.configure() to not store tokens in the cookies ? – Ashy Ashcsi Oct 14 '22 at 01:13
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/248790/discussion-between-ashy-ashcsi-and-spiff). – Ashy Ashcsi Oct 14 '22 at 04:26

0 Answers0