CODEWITHSUNDEEP
pythonswiftauthenticationamazon-cognito
cleg
cleg

Reputation: 5022

Invalidate AWS Cognito token at logout

I'm building Swift application with Python backend, and I'd like to use AWS Cognito for authentication and registration flow.

Currently, I'm using following code to log in:

let user = pool?.getUser(email)
user?.getSession(email, password: password, validationData: nil)
    .continueWith { task in
        // handle error/success

        return nil
    }

Pool is initialized above, using self.pool = AWSCognitoIdentityUserPool.default() call.

On app startup, I'm checking, if user is authenticated, and getting it's access_token:

if AWSSignInManager.sharedInstance().isLoggedIn {
    if let user = pool?.currentUser() {
        user.getSession()
            .continueWith { task in
                token = task.result?.accessToken?.tokenString

                return nil
            }
    }
}

And I'm passing this token to backend. On backend, I'm getting user's data via Python Warrant library:

from warrant import Cognito

u = Cognito("id", "key", user_pool_region="us-east-1")
u.access_token = "token"

res = u.get_user(attr_map={"sub": "user_id", "email": "email"})

If token is valid, I'm getting user's data, otherwise, exception is risen. But after the logout on client, this token is still alive. I'm using following logout code:

AWSSignInManager.sharedInstance().logout { (result: Any?, error: Error?) in
    // handle results
}

I understand, that this token will expire after some timeout, and won't be refreshed, as on next login user will get another accces/refresh tokens pair, but I'd like to invalidate token immediately on signout, is it possible? Or I don't understand Cognito and use it incorrectly?

Upvotes: 0

Views: 2852

Answers (1)

Jonathan Wong
Jonathan Wong

Reputation: 480

After scouring through github and AWS forums, I found a (semi) answer to this question by chris radek, a contributor to the aws-sdk for js.

Here is that discussion: https://github.com/aws/aws-sdk-js/issues/1241

If you don't want to read all of it, basically, chris says that its standard for the tokens to be valid for an hour, but

by modifying a certain parameter you can cut that down to a minimum of 15 minutes. You cannot, however, invalidate a token immediately on signout.

Here are the javascript docs that describe how to cut down the duration of time: https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CognitoIdentityCredentials.html#params-property

https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/STS.html#assumeRoleWithWebIdentity-property

The AWS Documentation over the topic: https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetOpenIdTokenForDeveloperIdentity.html

https://forums.aws.amazon.com/thread.jspa?threadID=232652

Here is the matching function that can be called in python: https://boto3.readthedocs.io/en/latest/reference/services/cognito-identity.html#CognitoIdentity.Client.get_open_id_token_for_developer_identity

This is where the token duration can be changed!

Upvotes: 2

Related Questions