Amplify-js: How to detect revoked access token

@madmed88 Can you provide a little more information on this? Are you using Amplify with this? If so, can you provide the versions of Amplify you are experiencing this with?

I am using amplify in the front end, and calling Auth.signOut({ global: true }) when a user changes his password.
If someone else is using the same user I want it to be logged out automatically.
globalSignOut is revoking the access token but I am still able to use that token with my API.
I am using this code to validate the token: this https://github.com/awslabs/aws-support-tools/blob/master/Cognito/decode-verify-jwt/decode-verify-jwt.ts but there is no way to know if a token has been revoked

For me, calling Auth.signOut({ global: true }) only seems to log out the user locally.
No request is sent to Cognito when calling it, so it looks like a bug?

Make sure you are sending them to the signout endpoint.

https://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.html

Hi @madmed88 & @LanderN - are you still experiencing issues with this?

I've given up on using amplify framework (and aws-amplify-angular in particular) and am using cognito-identity-js directly now. While I am still disappointed by the shortcomings of Cognito (those have been reported by others in other issues, so I won't list them here), the "lower-level" library seems to work much better, because every layer of abstraction seems to break some more stuff.

In addition, I would like to express my disappointment in the support given for this library. People are reporting very real issues and they get ignored for months, after which the issue gets closed. Some people (myself included) try to fix the issues themselves, only to get ignored some more.
While I understand managing something like this is hard, I expected some more professionalism from AWS.

Hi @LanderN -- so sorry to hear about your frustrations with communication from the Amplify team. This is something we are addressing actively this quarter and will hopefully lead to visible improvements soon. It looks like there was some confusion on this issue -- today, Amplify does not invalidate tokens globally. There is a FR here. I also see your PR and I'm having someone review that ASAP. Please let me know if there's anything I can help with.

Hi @mauerbac! I'm glad to hear that the team is working on improving the communication.
The comment I posted in October is admittedly beside the point of this issue, it was posted while looking for potential causes for an issue I was having and had not yet found the root cause.
That said, I would like to see the feature implemented, so I gave it a thumbs up.

I did notice some highly necessary changes happening the last few months (this one in particular) and the update to aws-sdk-js-v3 seems promising as well. I hope this trend continues and Cognito and Amplify continues improving!

The original issue raised by @madmed88 seems consistent with https://github.com/aws-amplify/amplify-js/issues/3435#issuecomment-597851340. If this is indeed a duplicate, we can close and have everyone subscribed to #3435 (tracked as a feature request for the Cognito service team), since we're dependent on that functionality for our library.

In short, once tokens are revoked the credentials (JWT) are valid until they expire (defaults to 1 hour):

https://docs.amplify.aws/lib/auth/emailpassword/q/platform/js#global-sign-out

Yes I can confirm that it's a duplicate of #3435

Thanks for the update @madmed88! I'll close so we can continue in #3435.

Since that has more 👀 on it, feel free to subscribe, add a reaction (we use those as a prioritization metric!), or comment with your experience.