2 Answers
- Newest
- Most votes
- Most comments
0
You can revoke the refresh tokens and all of the access tokens generated by the specified refresh token by enabling token revocation and calling the RevokeToken API.
The following can be used to remove the link between the IDP user and Cognito
answered 2 years ago
0
Does your IDP provide a mechanism to detect/notify on user deletion? That could be a way to setup a workflow to then deactivate the user in Cognito. This could be manual or using services such as Lambda.
answered 2 years ago
Relevant content
- asked 3 years ago
- Accepted Answerasked 3 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 9 months ago
The main challenge is getting informed when a user was disabled/deleted from the external IDP. As we're relying on AWS Cognito's given refresh token & AWS cognito giving us new access tokens with that given refresh token. We are unable to know if that user was deleted from the external IDP, we were expecting AWS Cognito might have some way to communicate with the external IDP before generating a new access token for an External IDP user.
As cognito continues giving us new access tokens even when that user was deleted from the external IDP, we expected some kind of checking of the user validity from Cognito side.
I have set up AWS Cognito with an external SAML Single Sign-On (SSO) provider (in my case, Okta and Azure AD), and I have encountered basically the same scenario.
It appears that even when I manually revoke all of a user's sessions in Okta, AWS Cognito still continues to refresh the user's access/ID tokens. This behavior persists even after the user has been disabled or completely removed in Okta. The user is able to refresh their tokens until the refresh token itself expires.
My expectation was that after revoking all sessions and/or disabling a user in Okta, that user should immediately lose all access, and their next token refresh would fail.
Could anyone explain why this might be happening? I know I can manually revoke user's refresh token through Cognito, but that defeats the purpose of having and external IdP.
Is there something I'm missing in the setup that would help AWS Cognito recognize when a session has been revoked or a user has been disabled in the SSO provider? Or is this just not currently supported by Cognito?
Just run into this perplexing issue. Manually revoking the refresh token is no solution, and programmatically checking every user every few minutes to see if it's been disabled seems extraordinarily inefficient. I would expect that access tokens should not be issued at all where the user has been disabled by the external IDP, which means I would also expect Cognito to be checking for this. At the moment the only workaround we can really come up with is to shorten the lifespan of the refresh token. If anyone has any better ideas, I'd love to hear about them!