By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Revoking cognito refresh token on deleting/disabling external IDP user

1

Our system uses AWS Cognito to authenticate SAML users. Each SAML IDP has its own user pool. When a user logs in using their external IDP email and password, Cognito provides us with an Access Token and a Refresh Token. We rely on the refresh token to generate new access tokens, and it remains valid for 30 days. However, if the external IDP deletes or disables a user, we expect that user to be automatically logged out of our system. Unfortunately, we have observed that even if a user is deleted from their external IDP, our system can still generate new access tokens using their refresh token from Cognito. We have been unable to find any function or webhook from Cognito to detect when a user has been disabled or deleted from their external IDP. Is there a solution to this issue within AWS Cognito that we are unaware of? If not, what might be a potential solution to address this problem?

2 Answers
0

You can revoke the refresh tokens and all of the access tokens generated by the specified refresh token by enabling token revocation and calling the RevokeToken API.

The following can be used to remove the link between the IDP user and Cognito

AWS
answered 2 years ago
profile picture
EXPERT
reviewed 2 years ago
  • The main challenge is getting informed when a user was disabled/deleted from the external IDP. As we're relying on AWS Cognito's given refresh token & AWS cognito giving us new access tokens with that given refresh token. We are unable to know if that user was deleted from the external IDP, we were expecting AWS Cognito might have some way to communicate with the external IDP before generating a new access token for an External IDP user.

    As cognito continues giving us new access tokens even when that user was deleted from the external IDP, we expected some kind of checking of the user validity from Cognito side.

  • I have set up AWS Cognito with an external SAML Single Sign-On (SSO) provider (in my case, Okta and Azure AD), and I have encountered basically the same scenario.

    It appears that even when I manually revoke all of a user's sessions in Okta, AWS Cognito still continues to refresh the user's access/ID tokens. This behavior persists even after the user has been disabled or completely removed in Okta. The user is able to refresh their tokens until the refresh token itself expires.

    My expectation was that after revoking all sessions and/or disabling a user in Okta, that user should immediately lose all access, and their next token refresh would fail.

    Could anyone explain why this might be happening? I know I can manually revoke user's refresh token through Cognito, but that defeats the purpose of having and external IdP.

    Is there something I'm missing in the setup that would help AWS Cognito recognize when a session has been revoked or a user has been disabled in the SSO provider? Or is this just not currently supported by Cognito?

  • Just run into this perplexing issue. Manually revoking the refresh token is no solution, and programmatically checking every user every few minutes to see if it's been disabled seems extraordinarily inefficient. I would expect that access tokens should not be issued at all where the user has been disabled by the external IDP, which means I would also expect Cognito to be checking for this. At the moment the only workaround we can really come up with is to shorten the lifespan of the refresh token. If anyone has any better ideas, I'd love to hear about them!

0

Does your IDP provide a mechanism to detect/notify on user deletion? That could be a way to setup a workflow to then deactivate the user in Cognito. This could be manual or using services such as Lambda.

AWS
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions