- Newest
- Most votes
- Most comments
Hi,
Currently it is not possible to revoke an access token that is issued using client-credentials flow.
In a token-based authentication system like Cognito, tokens are considered valid as long as they have valid signature and they haven't expired. When these tokens are passed for authorization to back-end (like API Gateway), tokens are validated remotely by verifying its signature and validity, this remote verification doesn't involve any calls to the issuer of the token (cognito). Revoking a token on the authentication server will not invalidate the already issued token and back-end systems that verify this token remotely will continue to accept it.
In your case, if you want to deny access to a token before it is expired, you will need to maintain a deny-list table in DynamoDB for example and if you want to deny access to the token you store its unique identifier (jti claim) in this table and check this table during authorization to make sure that token hasn't been denied access.
Relevant content
- asked 3 years ago
- AWS OFFICIALUpdated a month ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 3 months ago