Reputation: 3130
aws cognito invalidate token on logout
I wasn't able to find clarity on the question, but I know JWT tokens are self contained with its own expiration. Typically, a blacklist could contain "expired" tokens and prevent access to a route if the token is listed there.
I wanted to know that if using aws cognito, and calling the logout endpoint, does that actually blacklist the JWT token on aws side? There is an access token and a refresh token, so do both get invalidated or could a user still login with the token until the expiration time in the token is reached?
Upvotes: 5
Views: 10380
Answers (2)
Reputation: 21
- Signing out a user from Cognito does not invalidate the access token issued by Cognito. The last access token issued by Cognito is still valid in Cognito's system.
- There is a RevokeToken API endpoint provided by Cognito, but this requires the ClientID, ClientSecret and Token for invocation. If your application does not use ClientSecret in your Cognito Pool, then this won't work.
- I found this logout option to work in this scenerio - redirect the user to the cognito logout URL as follows -
https://COGNITO_DOMAIN/logout?client_id=APP_CLIENT_ID"&logout_uri=SIGNOUT_URL
- Redirecting the user to the Cognito logout url did the following -
- It invalidated the current user session;
- Invalidate all the issued tokens;
- Next user login will be treated as new login and hence will be asked to re-authenticate (through Google/Azure etc)
- The :/logout endpoint is a redirection endpoint. It signs out the user and redirects either to an authorized sign-out URL for your app client, or to the /login endpoint. AWS Documentation says - "The logout endpoint is a front-end web application for interactive user sessions with your customers. Your app must invoke this and other hosted UI endpoints in your users' browsers." Meaning - this can be used only on the front-end through browsers. If the value of SIGNOUT_URL is one of the Allowed sign-out URLs for your app client, Amazon Cognito redirects users to that URL.
Upvotes: 0
Reputation: 1632
No it does not. Calling the LogOut endpoint will invalidate any session you had with the Hosted UI/ Oauth endpoints.
Another option is to call globalSignOut [1] and this will invalidate all of the users Access and Refresh tokens (being used against the Cognito API).
However, the JWT tokens are still valid and as you mentioned, are self contained. There is no built in black listing of tokens that your own servers could check, in a scaleable fashion. This is something you would need to implement yourself if desired.
[1] https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GlobalSignOut.html
Upvotes: 3
Related Questions
- Invalidate AWS Cognito token at logout
- How to handle with token expiration on Cognito
- How do AWS Cognito Authentication tokens refresh
- Cognito Refresh Token Expires prematurely
- How to manually expire the token of login cognito -user in Nodejs
- Why i signOut in aws cognito didn't revoke access token in lambda
- AWS Cognito - Why is token still valid even User pool is changed or User is deleted (.Net core)
- Aws Cognito no refresh token after login
- AWS Cognito - getSessionInBackground fails when ID token needs refreshing
- Specifying sessionToken lifetime when calling AWS Cognito GetCredentialsForIdentity