Cognito access token not expiring after user logout

Question

In our web application we are using cognito as a authenticator. Whenever user is logout from application access token is not expring it still validating another session. For security issues in our organisation we need to invalid the token after user log out from application

Answer

You can revoke tokens using the [RevokeToken API](https://docs.aws.amazon.com/cognito/latest/developerguide/token-revocation.html). Revoking the refresh token also revokes all access tokens associated with it.

Keep in mind that JWTs are self contained and it is up to recipient of the JWT to validate if it has been revoked, if that is needed.

Answer

You may always revoke the JSON Web Token (JWT) using the RevokeToken API when the user logs out from the application. You may also configure a tighter JWT session if this is better for your application security. This can be configured from 5 minutes to 24 hours (1 day). It should be noted that when using the Amazon Cognito HostedUI, the session cookie is cached for a minimum of 1 hour and any access token configured for a shorter time would not be honored through the HostedUI.

You can find explicit details in the Amazon Cognito documentation on User Pool Access Tokens JWTs here: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-access-token.html

Cognito access token not expiring after user logout

関連するコンテンツ