Reputation: 4084
AWS Cognito single use access token
Is there a way to issue access tokens that are valid for a single use? My use case is to invoke Lambda functions from browser but want to restrict the number of invocations to one per token.
If a short lived token is issued then there is still potential for it to be used for multiple invocations.
I am using DeveloperAuthenticatedIdentities to issue the temporary tokens.
Upvotes: 0
Views: 1600
Answers (3)
Reputation: 9121
For limiting usage, I think the best approach will be using usage plans.
It is not a token responsibility to restrict usage, API Key is there for that purpose.
Have a look at this AWS page.
https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-api-usage-plans.html
Upvotes: 0
Reputation: 1799
The AWS Cognito is not designed for that, however you could achieve this by throwing undesired expensive computation at it:
- Your Api/app adds the user on behalf of the admin.
- Your api/app removes the
confirmeduser after certain amount of time.
You could see that this approach is not feasible even for low number of users.
Better approach, if the routes are unique (still using Cognito)
- Same as above.
You have the list of routes, as a bucket names, in S3; each has a file that consists, something like
{ accessed: false }
If the user uses the token to access the route your app check for the above, grand the access, and sets it to true. You could even not have the above file and just the buckets; that represents the routes and gets removed upon being accessed.
Much Better approach
- The application could generate/verify, short expiry JWT tokens, for supporting short lived authorized users. The downside here is that the development time which might lead to security risks if the application is not throughly tested.
2.Same as the above approach (using S3).
Upvotes: 0
Reputation: 13055
There is no such thing with AWS Cognito.
You can implement a custom Authorizer with API Gateway to manage your invocations count. If the same URL accessed more than once, you can deny the service.
More info on Custom Authorizers.
https://docs.aws.amazon.com/apigateway/latest/developerguide/use-custom-authorizer.html
Hope it helps.
Upvotes: 1
Related Questions
- AWS cognito returning - 'Invalid Login Token. Not a Cognito Token'
- Cognito login with tokens
- Cognito User Pools & Access Tokens
- "Access token does not contain openid scope" in AWS Cognito
- AWS cognito authorization
- AWS Cognito Access Tokens Javascript
- After getting AWS Cognito token, how can I have access to another aws resource?
- How to generate access token for an AWS Cognito user?
- How to pass Cognito token to Amazon API Gateway?
- Using Cognito AccessKeyId / SecretAccessKey to access AWS services