By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Cognito access token not expiring after user logout

0

In our web application we are using cognito as a authenticator. Whenever user is logout from application access token is not expring it still validating another session. For security issues in our organisation we need to invalid the token after user log out from application

Topics
Security, Identity, & Compliance
Tags
Amazon Cognito
Language
English
rePost-User-7602336
asked a year ago1106 views
2 Answers
0

You can revoke tokens using the RevokeToken API. Revoking the refresh token also revokes all access tokens associated with it.

Keep in mind that JWTs are self contained and it is up to recipient of the JWT to validate if it has been revoked, if that is needed.

profile pictureAWS
Pontus Palmenas
answered a year ago
0

You may always revoke the JSON Web Token (JWT) using the RevokeToken API when the user logs out from the application. You may also configure a tighter JWT session if this is better for your application security. This can be configured from 5 minutes to 24 hours (1 day). It should be noted that when using the Amazon Cognito HostedUI, the session cookie is cached for a minimum of 1 hour and any access token configured for a shorter time would not be honored through the HostedUI.

You can find explicit details in the Amazon Cognito documentation on User Pool Access Tokens JWTs here: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-access-token.html

AWS
Joe Melfi
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content