Hi everyone,
I'm working on a web application that uses API Gateway along with a Cognito Authorizer, and I'm trying to figure out how to revoke tokens effectively. My goal is to deny access to the API after a user logs out. Currently, I have two routes set up: one for IdTokens and another for access tokens, and I'm focusing on the access tokens for this issue.
I started with the Global Sign-Out API, but it requires an access token with the aws.cognito.signin.user.admin scope, which I've avoided giving to my users since it would allow them to modify their Cognito profiles. Instead, I attempted to use the token revocation endpoint provided by AWS, but it seems that even after revocation, API Gateway still accepts the access tokens. According to AWS documentation, revoked tokens are valid if they're only verified via a JWT library and not through Amazon Cognito APIs. I was hoping that the Cognito Authorizer would automatically deny revoked tokens.
Does anyone know how I can effectively log a user out and ensure that previously issued tokens can no longer be used to access the API? Thanks!
3 Answers
You might need a custom authorizer for your use case. Since JWTs are stateless, using a Cognito Authorizer won't allow you to deny access to revoked tokens. If you maintain a deny list in a DynamoDB and reference that in your custom authorizer, you can return a 403 status for revoked tokens while still decoding valid tokens.
Using JWTs doesn't have a built-in logout process since they are stateless. Once a token is issued, it's valid until it expires. If you're looking to enforce a logout feature, you'd have to rely on keeping track of revoked tokens somewhere, which is almost like reintroducing session management. I definitely recommend using short-lived tokens to minimize this issue.
Right, but don’t JWTs expire? That helps with some control, I suppose.
Revoking refresh tokens is key here. Think of access tokens like a driver's license—they’re good until they expire. You can wield short-lived access tokens and revoke the refresh token. When the access token expires, the user will need to request a new one using the refresh token. If that refresh token is revoked, they can no longer get a new access token, thus blocking their access after logout.
Exactly! Short token lifetimes help manage access without having to track state on your backend.
I wish the revocation directly affected access tokens, but as it stands, being smart with token lifetimes and refresh token management is the way to go.
Thanks for the clarity! It seems using a custom authorizer is the way forward for my project.