Hi,
I noticed that the CognitoUser::signout doesn't revoke the access token, It just clears it from browser cache. Is there a way to revoke access and refresh tokens ?
Hi, that is correct,
Signout presently doesn't revoke the access token. That is the behavior across all SDKs. There is no functionality to revoke the tokens currently.
Ionut.
Thank you.
Sorry, I have a follow up question. This seems to be a security hole. An undesired user can gain access to my app/cognito user pool, upto an hour, if he somehow manages to get access token. Other OAuth providers indeed provide a way to revoke tokens. Do you have plans to revoke tokens before User Pool goes GA? Does anyone not see a problem with this ?
Thanks for bringing this up srkprasadam, I will discuss the issue within the team.
Ionut.
Thanks for acknowledging the issue. Let me know if there is a way to create a bug and track it. Our org decided to hold onto using user pool until this security issue is resolved
You cannot revoke STS temporary credentials either (if you use Cognito Identity), see http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_disable-perms.html
For my use case, the ability to revoke the jwt/access token would not solve this issue. I don't believe this could be a blocking issue for us, if someone can access the token (which is stored in the browser) then the whole app would be compromised and, in a compromised browser, we're not even sure that a revoke method would be called.
The question is not whether a revoke method can be called in a compromised browser. You never know how an unsuspecting hacker has plotted to get your access token.I don't want my users to even get into this state because of the design loophole and because of sensitivity of data . When they log out of my app, they are really logging out and aren't authorized any more.
@itrestian Hi, Any update on this after talking with your team ?
Hi, we will take this as a feature request and update this post if and when we release a solution for this. Thanks for raising this request.
Another use case we have that includes the need for this is the ability to list all authenticated sessions for a given user identity and then be able to "log them off remotely", ie: revoke credentials issued to a particular client.
We have released a global token revocation API that can be called from the client side. Access tokens and refresh tokens are revoked by calling this API.
Thank you.
But this global signout will kill all the tokens for all clients. Ex: if a user is logged in form Mobile, Ipad and Browser and if the intention is to just kill a client specific token set, Global sign out would not help? Also, will this Global Sign out kill OpenID token from the Federated Pool? Or is there a separate API for that?
Regarding the new globalSignOut(callback) function, should the callback parameter be a JSON object (with onSuccess and onFailure keys) or a function? Its usage seems to be inconsistent among these three lines:
return callback.onFailure(err);
return callback.onSuccess('SUCCESS');
return callback(new Error('User is not authenticated'), null);
Could we re-open this issue? @lalithvaka is right and the issue is still not solved completely. Thanks!
Yep the issue is not solved also for me.
After i call the globalSignOut succesfully, the credential stored in SDK are still valid
Are you referring to the access token as in this issue? That should definitely get revoked. Refresh tokens as well. However, AWS credentials can still be used for up to 1 hour and the id token as well because they can be used against external services to User Pools.
@kenji-isuntv I worked with AWS Cognito team to get this taken care and got released as a fix through CLI as following.
aws cognito-identity update-identity-pool --identity-pool-id
By setting the ServerSideTokenCheck to true on a Cognito Identity Pool, that Identity Pool will check with Cognito User Pools to make sure that the user has not been globally signed out or deleted before the Identity Pool provides an OIDC token or AWS credentials for the user.
Now we are running into another issue of this Token being cached in API Gateway for 10mins which would let that OID token still be active for 10mins even though the User has globally signed out.
After calling globalSignOut() and getting back a success callback, other signed-in sessions are not signed out: they are able to call my api gateway that authenticates against my cognito user pool. I'm using a cognito user pool (not a federated identity) so it doesn't seem like the CLI "ServerSideTokenCheck" setting referenced by @lalithvaka will fix my situation. Am I doing something wrong, or is globalSignOut broken?
Thanks!
I too am seeing this. If I call globalSignOut (or adminGlobalSignOut) on a user / accessToken, then I find that the user can still use the accessToken to access resources via API Gateway (using a Cognito User Pool authorizer).
@itrestian please advice any news about this , how we can revoke the access from the token.
Thanks in advance !
Having the same problem as well!
Please add the ability to revoke access tokens from the server side and console. This is a huge oversight in the Cognito system. Other than that, this is great AWS tool.
Have the same issue, calling globalSignOut do not sign cognitoUser out
Does anyone know if there has been any progress on this front?
This is a huge stopper, specially in cases where you want to sign out all previously singed in devices and not the current device. Any update is much appreciated.
I too have the same issue, provide a method to revoke the temporary credentials
As a temporary workaround i put below line after signOut() method. It is working for me.
AWS.config.credentials.clearCachedId()
Hi All, I don't really see this issue being resolved. Is there a clear resolution on this?
this.signOutHandler = function() {
//this.cognitoUser.signOut();
this.cognitoUser.globalSignOut({
onSuccess: function(result) {
console.log(result);
},
onFailure: function(err) {
alert(err);
}
});
}
I can see the onSucess call back function getting called, but the jwtToken is still usable!
This is a blocker for us.
Please advise.
Hello. Is the GlobalSignOut and AdminUserGlobalSignOut available for the Developer Authenticated Identities in Cognito? Went through the documentations and the SDKs, wasn't mentioned anywhere. And looking at it, feel that it may not be so. @itrestian , if you would be so kind as to look into this pls.
Update : After talking to the AWS team, got clarified that the methods are in fact not available for Cognito Federated Identity pools and is only supported in Cognito Userpools. That is a huge problem for those of us looking to work with Cognito Federated Identity pools!
What is the purpose of sign-out function if it does not invalidate the session token ???
Most helpful comment
Sorry, I have a follow up question. This seems to be a security hole. An undesired user can gain access to my app/cognito user pool, upto an hour, if he somehow manages to get access token. Other OAuth providers indeed provide a way to revoke tokens. Do you have plans to revoke tokens before User Pool goes GA? Does anyone not see a problem with this ?