Unable to restrict access to AWS API even after calling globalsignout Method using javascript
up vote
0
down vote
favorite
I am using AWS API gateway for API's and cognito UserPool's for security. After Authenticating the user we will get tokens and I am using that token to authorise my API.
Now, I am trying to enable signout to cognito authorised users using javascript. Used the below code.
if (cognitoUser != null)
cognitoUser.globalSignOut(
onFailure: e => console.log(e),
onSuccess: r =>
console.log('Logout success: ' + r)
)
I am getting response as success but still I am able to access my API with the previous tokens.Please suggest me how to inactivate all the tokens issued to that cognito user.
javascript amazon-web-services aws-api-gateway amazon-cognito
asked Nov 9 at 12:55
user3816229
32
add a comment |
up vote
0
down vote
favorite
I am using AWS API gateway for API's and cognito UserPool's for security. After Authenticating the user we will get tokens and I am using that token to authorise my API.
Now, I am trying to enable signout to cognito authorised users using javascript. Used the below code.
if (cognitoUser != null)
cognitoUser.globalSignOut(
onFailure: e => console.log(e),
onSuccess: r =>
console.log('Logout success: ' + r)
)
I am getting response as success but still I am able to access my API with the previous tokens.Please suggest me how to inactivate all the tokens issued to that cognito user.
javascript amazon-web-services aws-api-gateway amazon-cognito
asked Nov 9 at 12:55
user3816229
32
add a comment |
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I am using AWS API gateway for API's and cognito UserPool's for security. After Authenticating the user we will get tokens and I am using that token to authorise my API.
Now, I am trying to enable signout to cognito authorised users using javascript. Used the below code.
if (cognitoUser != null)
cognitoUser.globalSignOut(
onFailure: e => console.log(e),
onSuccess: r =>
console.log('Logout success: ' + r)
)
I am getting response as success but still I am able to access my API with the previous tokens.Please suggest me how to inactivate all the tokens issued to that cognito user.
javascript amazon-web-services aws-api-gateway amazon-cognito
asked Nov 9 at 12:55
user3816229
32
I am using AWS API gateway for API's and cognito UserPool's for security. After Authenticating the user we will get tokens and I am using that token to authorise my API.
Now, I am trying to enable signout to cognito authorised users using javascript. Used the below code.
if (cognitoUser != null)
cognitoUser.globalSignOut(
onFailure: e => console.log(e),
onSuccess: r =>
console.log('Logout success: ' + r)
)
I am getting response as success but still I am able to access my API with the previous tokens.Please suggest me how to inactivate all the tokens issued to that cognito user.
javascript amazon-web-services aws-api-gateway amazon-cognito
javascript amazon-web-services aws-api-gateway amazon-cognito
asked Nov 9 at 12:55
user3816229
32
asked Nov 9 at 12:55
user3816229
32
asked Nov 9 at 12:55
user3816229
32
asked Nov 9 at 12:55
user3816229
32
asked Nov 9 at 12:55
user3816229
32
32
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
up vote
2
down vote
The id token, which API Gateway uses to authenticate API calls, stays valid for a while.
I would test for the access token. It should expire right after you call global sign out.
The key word is should above. Please see this issue. It’s an on-going struggle to get AWS to implement an immediate revocation. Here’s a relevant quote from lalithvaka on this issue:
I worked with AWS Cognito team to get this taken care and got released as a fix through CLI as following.
aws cognito-identity update-identity-pool --identity-pool-id --identity-pool-name --allow-unauthenticated-identities --cognito-identity-providers ProviderName=,ClientId=,ServerSideTokenCheck=<true|false>
By setting the ServerSideTokenCheck to true on a Cognito Identity
Pool, that Identity Pool will check with Cognito User Pools to make
sure that the user has not been globally signed out or deleted before
the Identity Pool provides an OIDC token or AWS credentials for the
user. Now we are running into another issue of this Token being cached
in API Gateway for 10mins which would let that OID token still be
active for 10mins even though the User has globally signed out.
Here's what I mean by test for the accessToken (I have had success with method #2):
1.) you could develop a custom authorizer for API Gateway;
2.) you could perform a check at the start of your lambda functions or on your servers, using:
const AWS = require('aws-sdk');
const awsConfig = require('./awsConfig');
const cognito = new AWS.CognitoIdentityServiceProvider(awsConfig);
// accessToken provided from API Gateway
new Promise((resolve, reject) =>
cognito.getUser( accessToken , (errorCallback, response) =>
if (errorCallback)
reject(errorCallback);
else
resolve(response);
);
);
The errorCallback and response do not matter. If you get an error, the token is invalid. If you don’t, it’s valid.
answered Nov 9 at 13:37
twils0
701314
Thanks for your response. I changed my configuration in api gateway. So, now i can access API using AccessToken not with Id Token. Now, I called globalsignout method. After that I tested with my previous accesstoken to validate my API. Still my token is not expired. Please let me know where I am doing wrong.
– user3816229
9 hours ago
I have used method #2 above in a project, and it has worked. I am less familiar with method #1 implementations. As a test, if possible, I would see if method #2 works on a Lambda function, or on your server. If so, I’ll change my answer. I would just got for method #2. There is a known issue with a delay in access token revocation. I’ll post in my answer above.
– twils0
9 hours ago
add a comment |
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
2
down vote
The id token, which API Gateway uses to authenticate API calls, stays valid for a while.
I would test for the access token. It should expire right after you call global sign out.
The key word is should above. Please see this issue. It’s an on-going struggle to get AWS to implement an immediate revocation. Here’s a relevant quote from lalithvaka on this issue:
I worked with AWS Cognito team to get this taken care and got released as a fix through CLI as following.
aws cognito-identity update-identity-pool --identity-pool-id --identity-pool-name --allow-unauthenticated-identities --cognito-identity-providers ProviderName=,ClientId=,ServerSideTokenCheck=<true|false>
By setting the ServerSideTokenCheck to true on a Cognito Identity
Pool, that Identity Pool will check with Cognito User Pools to make
sure that the user has not been globally signed out or deleted before
the Identity Pool provides an OIDC token or AWS credentials for the
user. Now we are running into another issue of this Token being cached
in API Gateway for 10mins which would let that OID token still be
active for 10mins even though the User has globally signed out.
Here's what I mean by test for the accessToken (I have had success with method #2):
1.) you could develop a custom authorizer for API Gateway;
2.) you could perform a check at the start of your lambda functions or on your servers, using:
const AWS = require('aws-sdk');
const awsConfig = require('./awsConfig');
const cognito = new AWS.CognitoIdentityServiceProvider(awsConfig);
// accessToken provided from API Gateway
new Promise((resolve, reject) =>
cognito.getUser( accessToken , (errorCallback, response) =>
if (errorCallback)
reject(errorCallback);
else
resolve(response);
);
);
The errorCallback and response do not matter. If you get an error, the token is invalid. If you don’t, it’s valid.
answered Nov 9 at 13:37
twils0
701314
Thanks for your response. I changed my configuration in api gateway. So, now i can access API using AccessToken not with Id Token. Now, I called globalsignout method. After that I tested with my previous accesstoken to validate my API. Still my token is not expired. Please let me know where I am doing wrong.
– user3816229
9 hours ago
I have used method #2 above in a project, and it has worked. I am less familiar with method #1 implementations. As a test, if possible, I would see if method #2 works on a Lambda function, or on your server. If so, I’ll change my answer. I would just got for method #2. There is a known issue with a delay in access token revocation. I’ll post in my answer above.
– twils0
9 hours ago
add a comment |
up vote
2
down vote
The id token, which API Gateway uses to authenticate API calls, stays valid for a while.
I would test for the access token. It should expire right after you call global sign out.
The key word is should above. Please see this issue. It’s an on-going struggle to get AWS to implement an immediate revocation. Here’s a relevant quote from lalithvaka on this issue:
I worked with AWS Cognito team to get this taken care and got released as a fix through CLI as following.
aws cognito-identity update-identity-pool --identity-pool-id --identity-pool-name --allow-unauthenticated-identities --cognito-identity-providers ProviderName=,ClientId=,ServerSideTokenCheck=<true|false>
By setting the ServerSideTokenCheck to true on a Cognito Identity
Pool, that Identity Pool will check with Cognito User Pools to make
sure that the user has not been globally signed out or deleted before
the Identity Pool provides an OIDC token or AWS credentials for the
user. Now we are running into another issue of this Token being cached
in API Gateway for 10mins which would let that OID token still be
active for 10mins even though the User has globally signed out.
Here's what I mean by test for the accessToken (I have had success with method #2):
1.) you could develop a custom authorizer for API Gateway;
2.) you could perform a check at the start of your lambda functions or on your servers, using:
const AWS = require('aws-sdk');
const awsConfig = require('./awsConfig');
const cognito = new AWS.CognitoIdentityServiceProvider(awsConfig);
// accessToken provided from API Gateway
new Promise((resolve, reject) =>
cognito.getUser( accessToken , (errorCallback, response) =>
if (errorCallback)
reject(errorCallback);
else
resolve(response);
);
);
The errorCallback and response do not matter. If you get an error, the token is invalid. If you don’t, it’s valid.
answered Nov 9 at 13:37
twils0
701314
Thanks for your response. I changed my configuration in api gateway. So, now i can access API using AccessToken not with Id Token. Now, I called globalsignout method. After that I tested with my previous accesstoken to validate my API. Still my token is not expired. Please let me know where I am doing wrong.
– user3816229
9 hours ago
I have used method #2 above in a project, and it has worked. I am less familiar with method #1 implementations. As a test, if possible, I would see if method #2 works on a Lambda function, or on your server. If so, I’ll change my answer. I would just got for method #2. There is a known issue with a delay in access token revocation. I’ll post in my answer above.
– twils0
9 hours ago
add a comment |
up vote
2
down vote
up vote
2
down vote
The id token, which API Gateway uses to authenticate API calls, stays valid for a while.
I would test for the access token. It should expire right after you call global sign out.
The key word is should above. Please see this issue. It’s an on-going struggle to get AWS to implement an immediate revocation. Here’s a relevant quote from lalithvaka on this issue:
I worked with AWS Cognito team to get this taken care and got released as a fix through CLI as following.
aws cognito-identity update-identity-pool --identity-pool-id --identity-pool-name --allow-unauthenticated-identities --cognito-identity-providers ProviderName=,ClientId=,ServerSideTokenCheck=<true|false>
By setting the ServerSideTokenCheck to true on a Cognito Identity
Pool, that Identity Pool will check with Cognito User Pools to make
sure that the user has not been globally signed out or deleted before
the Identity Pool provides an OIDC token or AWS credentials for the
user. Now we are running into another issue of this Token being cached
in API Gateway for 10mins which would let that OID token still be
active for 10mins even though the User has globally signed out.
Here's what I mean by test for the accessToken (I have had success with method #2):
1.) you could develop a custom authorizer for API Gateway;
2.) you could perform a check at the start of your lambda functions or on your servers, using:
const AWS = require('aws-sdk');
const awsConfig = require('./awsConfig');
const cognito = new AWS.CognitoIdentityServiceProvider(awsConfig);
// accessToken provided from API Gateway
new Promise((resolve, reject) =>
cognito.getUser( accessToken , (errorCallback, response) =>
if (errorCallback)
reject(errorCallback);
else
resolve(response);
);
);
The errorCallback and response do not matter. If you get an error, the token is invalid. If you don’t, it’s valid.
answered Nov 9 at 13:37
twils0
701314
The id token, which API Gateway uses to authenticate API calls, stays valid for a while.
I would test for the access token. It should expire right after you call global sign out.
The key word is should above. Please see this issue. It’s an on-going struggle to get AWS to implement an immediate revocation. Here’s a relevant quote from lalithvaka on this issue:
I worked with AWS Cognito team to get this taken care and got released as a fix through CLI as following.
aws cognito-identity update-identity-pool --identity-pool-id --identity-pool-name --allow-unauthenticated-identities --cognito-identity-providers ProviderName=,ClientId=,ServerSideTokenCheck=<true|false>
By setting the ServerSideTokenCheck to true on a Cognito Identity
Pool, that Identity Pool will check with Cognito User Pools to make
sure that the user has not been globally signed out or deleted before
the Identity Pool provides an OIDC token or AWS credentials for the
user. Now we are running into another issue of this Token being cached
in API Gateway for 10mins which would let that OID token still be
active for 10mins even though the User has globally signed out.
Here's what I mean by test for the accessToken (I have had success with method #2):
1.) you could develop a custom authorizer for API Gateway;
2.) you could perform a check at the start of your lambda functions or on your servers, using:
const AWS = require('aws-sdk');
const awsConfig = require('./awsConfig');
const cognito = new AWS.CognitoIdentityServiceProvider(awsConfig);
// accessToken provided from API Gateway
new Promise((resolve, reject) =>
cognito.getUser( accessToken , (errorCallback, response) =>
if (errorCallback)
reject(errorCallback);
else
resolve(response);
);
);
The errorCallback and response do not matter. If you get an error, the token is invalid. If you don’t, it’s valid.
answered Nov 9 at 13:37
twils0
701314
edited 9 hours ago
answered Nov 9 at 13:37
twils0
701314
answered Nov 9 at 13:37
twils0
701314
answered Nov 9 at 13:37
twils0
701314
701314
Thanks for your response. I changed my configuration in api gateway. So, now i can access API using AccessToken not with Id Token. Now, I called globalsignout method. After that I tested with my previous accesstoken to validate my API. Still my token is not expired. Please let me know where I am doing wrong.
– user3816229
9 hours ago
I have used method #2 above in a project, and it has worked. I am less familiar with method #1 implementations. As a test, if possible, I would see if method #2 works on a Lambda function, or on your server. If so, I’ll change my answer. I would just got for method #2. There is a known issue with a delay in access token revocation. I’ll post in my answer above.
– twils0
9 hours ago
add a comment |
Thanks for your response. I changed my configuration in api gateway. So, now i can access API using AccessToken not with Id Token. Now, I called globalsignout method. After that I tested with my previous accesstoken to validate my API. Still my token is not expired. Please let me know where I am doing wrong.
– user3816229
9 hours ago
I have used method #2 above in a project, and it has worked. I am less familiar with method #1 implementations. As a test, if possible, I would see if method #2 works on a Lambda function, or on your server. If so, I’ll change my answer. I would just got for method #2. There is a known issue with a delay in access token revocation. I’ll post in my answer above.
– twils0
9 hours ago
Thanks for your response. I changed my configuration in api gateway. So, now i can access API using AccessToken not with Id Token. Now, I called globalsignout method. After that I tested with my previous accesstoken to validate my API. Still my token is not expired. Please let me know where I am doing wrong.
– user3816229
9 hours ago
Thanks for your response. I changed my configuration in api gateway. So, now i can access API using AccessToken not with Id Token. Now, I called globalsignout method. After that I tested with my previous accesstoken to validate my API. Still my token is not expired. Please let me know where I am doing wrong.
– user3816229
9 hours ago
I have used method #2 above in a project, and it has worked. I am less familiar with method #1 implementations. As a test, if possible, I would see if method #2 works on a Lambda function, or on your server. If so, I’ll change my answer. I would just got for method #2. There is a known issue with a delay in access token revocation. I’ll post in my answer above.
– twils0
9 hours ago
I have used method #2 above in a project, and it has worked. I am less familiar with method #1 implementations. As a test, if possible, I would see if method #2 works on a Lambda function, or on your server. If so, I’ll change my answer. I would just got for method #2. There is a known issue with a delay in access token revocation. I’ll post in my answer above.
– twils0
9 hours ago
add a comment |
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53226105%2funable-to-restrict-access-to-aws-api-even-after-calling-globalsignout-method-usi%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password