When does API Gateway validate revoked Cognito ID token

7
votes

I am building a serverless react app which uses Cognito for sign-in/sign-out. The app calls API Gateway which is configured to use the Cognito User pool as the custom authorizer.

I also build a lambda function to sign out a user (cognitoIdentityServiceProvider.globalSignOut).

When I sign into the app, and then call the lambda function to perform an admin sign-out, calls to protected API gateway functions from the app are still valid (with Cognito ID token passed in Authorization header);

Are admin calls such as cognitoIdentityServiceProvider.globalSignOut and cognitoIdentityServiceProvider.adminUserGlobalSignOut not realtime, or is API Gateway configured to only validate after an hour?

3
aws-api-gatewayamazon-cognito

3 Answers

4
votes

It is the default settings of Cognito user pool. The access token expires one hour after the user authenticates. It should not be processed after it has expired.

You can revoke all user token though using the GlobalSignOut and AdminUserGlobalSignOut APIs. After the user has been signed out:

  • The user's refresh token cannot be used to get new tokens for the user.
  • The user's access token cannot be used against the user pools service.
  • The user must reauthenticate to get new tokens.

An app can use the GlobalSignOut API to allow individual users to sign themselves out from all devices. Typically an app would present this option as a choice, such as Sign out from all devices. The app must call this method with the user's valid, nonexpired, revoked access token. This method cannot be used to allow a user to sign out another user.

An administrator app can use the AdminUserGlobalSignOut API to allow administrators to sign out a user from all devices. The administrator app must call this method with AWS developer credentials and pass the user pool ID and the user's username as parameters. The AdminUserGlobalSignOut API can sign out any user in the user pool.

Please have a look on official documentation:- http://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html

4
votes

Just found the answer, unfortunately not what I wanted to hear:

Because IdToken is represented as a JSON Web Key Token, it's signed with a secret or private/public key pairs, which means even if you revoke the IdToken, there is no way to revoke the distributed public key. And IdToken has a short life span, it will expire in a short time.

Is it possible to revoke AWS Cognito IdToken?

https://github.com/aws/aws-sdk-js/issues/1687

https://github.com/aws/amazon-cognito-identity-js/issues/21

3
votes

I am on the Cognito team. globalSignOut revokes the access token and the refresh token. The id token is a bearer token, that is used with systems external to User Pools. API Gateway will still accept it, but it's validity is of 1 hour.