Unable to restrict access to AWS API even after calling globalsignout Method using javascript











up vote
0
down vote

favorite












I am using AWS API gateway for API's and cognito UserPool's for security. After Authenticating the user we will get tokens and I am using that token to authorise my API.



Now, I am trying to enable signout to cognito authorised users using javascript. Used the below code.



if (cognitoUser != null) {
cognitoUser.globalSignOut({
onFailure: e => console.log(e),
onSuccess: r =>
console.log('Logout success: ' + r)
})}


I am getting response as success but still I am able to access my API with the previous tokens.Please suggest me how to inactivate all the tokens issued to that cognito user.










share|improve this question


























    up vote
    0
    down vote

    favorite












    I am using AWS API gateway for API's and cognito UserPool's for security. After Authenticating the user we will get tokens and I am using that token to authorise my API.



    Now, I am trying to enable signout to cognito authorised users using javascript. Used the below code.



    if (cognitoUser != null) {
    cognitoUser.globalSignOut({
    onFailure: e => console.log(e),
    onSuccess: r =>
    console.log('Logout success: ' + r)
    })}


    I am getting response as success but still I am able to access my API with the previous tokens.Please suggest me how to inactivate all the tokens issued to that cognito user.










    share|improve this question
























      up vote
      0
      down vote

      favorite









      up vote
      0
      down vote

      favorite











      I am using AWS API gateway for API's and cognito UserPool's for security. After Authenticating the user we will get tokens and I am using that token to authorise my API.



      Now, I am trying to enable signout to cognito authorised users using javascript. Used the below code.



      if (cognitoUser != null) {
      cognitoUser.globalSignOut({
      onFailure: e => console.log(e),
      onSuccess: r =>
      console.log('Logout success: ' + r)
      })}


      I am getting response as success but still I am able to access my API with the previous tokens.Please suggest me how to inactivate all the tokens issued to that cognito user.










      share|improve this question













      I am using AWS API gateway for API's and cognito UserPool's for security. After Authenticating the user we will get tokens and I am using that token to authorise my API.



      Now, I am trying to enable signout to cognito authorised users using javascript. Used the below code.



      if (cognitoUser != null) {
      cognitoUser.globalSignOut({
      onFailure: e => console.log(e),
      onSuccess: r =>
      console.log('Logout success: ' + r)
      })}


      I am getting response as success but still I am able to access my API with the previous tokens.Please suggest me how to inactivate all the tokens issued to that cognito user.







      javascript amazon-web-services aws-api-gateway amazon-cognito






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Nov 9 at 12:55









      user3816229

      32




      32
























          1 Answer
          1






          active

          oldest

          votes

















          up vote
          2
          down vote













          The id token, which API Gateway uses to authenticate API calls, stays valid for a while.



          I would test for the access token. It should expire right after you call global sign out.



          The key word is should above. Please see this issue. It’s an on-going struggle to get AWS to implement an immediate revocation. Here’s a relevant quote:




          I worked with AWS Cognito team to get this taken care and got released as a fix through CLI as following.




          aws cognito-identity update-identity-pool --identity-pool-id --identity-pool-name --allow-unauthenticated-identities --cognito-identity-providers ProviderName=,ClientId=,ServerSideTokenCheck=<true|false>



          By setting the ServerSideTokenCheck to true on a Cognito Identity
          Pool, that Identity Pool will check with Cognito User Pools to make
          sure that the user has not been globally signed out or deleted before
          the Identity Pool provides an OIDC token or AWS credentials for the
          user. Now we are running into another issue of this Token being cached
          in API Gateway for 10mins which would let that OID token still be
          active for 10mins even though the User has globally signed out.




          Here's what I mean by test for the accessToken (I have had success with method #2):



          1.) you could develop a custom authorizer for API Gateway;



          2.) you could perform a check at the start of your lambda functions or on your servers, using:



          const AWS = require('aws-sdk');
          const awsConfig = require('./awsConfig');

          const cognito = new AWS.CognitoIdentityServiceProvider(awsConfig);

          // accessToken provided from API Gateway

          new Promise((resolve, reject) => {
            cognito.getUser({ accessToken }, (errorCallback, response) => {
              if (errorCallback) {
                reject(errorCallback);
          } else {
               resolve(response);
              }
          });
          });


          The errorCallback and response do not matter. If you get an error, the token is invalid. If you don’t, it’s valid.






          share|improve this answer























          • Thanks for your response. I changed my configuration in api gateway. So, now i can access API using AccessToken not with Id Token. Now, I called globalsignout method. After that I tested with my previous accesstoken to validate my API. Still my token is not expired. Please let me know where I am doing wrong.
            – user3816229
            Nov 12 at 13:13










          • I have used method #2 above in a project, and it has worked. I am less familiar with method #1 implementations. As a test, if possible, I would see if method #2 works on a Lambda function, or on your server. If so, I’ll change my answer. I would just got for method #2. There is a known issue with a delay in access token revocation. I’ll post in my answer above.
            – twils0
            Nov 12 at 13:43











          Your Answer






          StackExchange.ifUsing("editor", function () {
          StackExchange.using("externalEditor", function () {
          StackExchange.using("snippets", function () {
          StackExchange.snippets.init();
          });
          });
          }, "code-snippets");

          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "1"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53226105%2funable-to-restrict-access-to-aws-api-even-after-calling-globalsignout-method-usi%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          up vote
          2
          down vote













          The id token, which API Gateway uses to authenticate API calls, stays valid for a while.



          I would test for the access token. It should expire right after you call global sign out.



          The key word is should above. Please see this issue. It’s an on-going struggle to get AWS to implement an immediate revocation. Here’s a relevant quote:




          I worked with AWS Cognito team to get this taken care and got released as a fix through CLI as following.




          aws cognito-identity update-identity-pool --identity-pool-id --identity-pool-name --allow-unauthenticated-identities --cognito-identity-providers ProviderName=,ClientId=,ServerSideTokenCheck=<true|false>



          By setting the ServerSideTokenCheck to true on a Cognito Identity
          Pool, that Identity Pool will check with Cognito User Pools to make
          sure that the user has not been globally signed out or deleted before
          the Identity Pool provides an OIDC token or AWS credentials for the
          user. Now we are running into another issue of this Token being cached
          in API Gateway for 10mins which would let that OID token still be
          active for 10mins even though the User has globally signed out.




          Here's what I mean by test for the accessToken (I have had success with method #2):



          1.) you could develop a custom authorizer for API Gateway;



          2.) you could perform a check at the start of your lambda functions or on your servers, using:



          const AWS = require('aws-sdk');
          const awsConfig = require('./awsConfig');

          const cognito = new AWS.CognitoIdentityServiceProvider(awsConfig);

          // accessToken provided from API Gateway

          new Promise((resolve, reject) => {
            cognito.getUser({ accessToken }, (errorCallback, response) => {
              if (errorCallback) {
                reject(errorCallback);
          } else {
               resolve(response);
              }
          });
          });


          The errorCallback and response do not matter. If you get an error, the token is invalid. If you don’t, it’s valid.






          share|improve this answer























          • Thanks for your response. I changed my configuration in api gateway. So, now i can access API using AccessToken not with Id Token. Now, I called globalsignout method. After that I tested with my previous accesstoken to validate my API. Still my token is not expired. Please let me know where I am doing wrong.
            – user3816229
            Nov 12 at 13:13










          • I have used method #2 above in a project, and it has worked. I am less familiar with method #1 implementations. As a test, if possible, I would see if method #2 works on a Lambda function, or on your server. If so, I’ll change my answer. I would just got for method #2. There is a known issue with a delay in access token revocation. I’ll post in my answer above.
            – twils0
            Nov 12 at 13:43















          up vote
          2
          down vote













          The id token, which API Gateway uses to authenticate API calls, stays valid for a while.



          I would test for the access token. It should expire right after you call global sign out.



          The key word is should above. Please see this issue. It’s an on-going struggle to get AWS to implement an immediate revocation. Here’s a relevant quote:




          I worked with AWS Cognito team to get this taken care and got released as a fix through CLI as following.




          aws cognito-identity update-identity-pool --identity-pool-id --identity-pool-name --allow-unauthenticated-identities --cognito-identity-providers ProviderName=,ClientId=,ServerSideTokenCheck=<true|false>



          By setting the ServerSideTokenCheck to true on a Cognito Identity
          Pool, that Identity Pool will check with Cognito User Pools to make
          sure that the user has not been globally signed out or deleted before
          the Identity Pool provides an OIDC token or AWS credentials for the
          user. Now we are running into another issue of this Token being cached
          in API Gateway for 10mins which would let that OID token still be
          active for 10mins even though the User has globally signed out.




          Here's what I mean by test for the accessToken (I have had success with method #2):



          1.) you could develop a custom authorizer for API Gateway;



          2.) you could perform a check at the start of your lambda functions or on your servers, using:



          const AWS = require('aws-sdk');
          const awsConfig = require('./awsConfig');

          const cognito = new AWS.CognitoIdentityServiceProvider(awsConfig);

          // accessToken provided from API Gateway

          new Promise((resolve, reject) => {
            cognito.getUser({ accessToken }, (errorCallback, response) => {
              if (errorCallback) {
                reject(errorCallback);
          } else {
               resolve(response);
              }
          });
          });


          The errorCallback and response do not matter. If you get an error, the token is invalid. If you don’t, it’s valid.






          share|improve this answer























          • Thanks for your response. I changed my configuration in api gateway. So, now i can access API using AccessToken not with Id Token. Now, I called globalsignout method. After that I tested with my previous accesstoken to validate my API. Still my token is not expired. Please let me know where I am doing wrong.
            – user3816229
            Nov 12 at 13:13










          • I have used method #2 above in a project, and it has worked. I am less familiar with method #1 implementations. As a test, if possible, I would see if method #2 works on a Lambda function, or on your server. If so, I’ll change my answer. I would just got for method #2. There is a known issue with a delay in access token revocation. I’ll post in my answer above.
            – twils0
            Nov 12 at 13:43













          up vote
          2
          down vote










          up vote
          2
          down vote









          The id token, which API Gateway uses to authenticate API calls, stays valid for a while.



          I would test for the access token. It should expire right after you call global sign out.



          The key word is should above. Please see this issue. It’s an on-going struggle to get AWS to implement an immediate revocation. Here’s a relevant quote:




          I worked with AWS Cognito team to get this taken care and got released as a fix through CLI as following.




          aws cognito-identity update-identity-pool --identity-pool-id --identity-pool-name --allow-unauthenticated-identities --cognito-identity-providers ProviderName=,ClientId=,ServerSideTokenCheck=<true|false>



          By setting the ServerSideTokenCheck to true on a Cognito Identity
          Pool, that Identity Pool will check with Cognito User Pools to make
          sure that the user has not been globally signed out or deleted before
          the Identity Pool provides an OIDC token or AWS credentials for the
          user. Now we are running into another issue of this Token being cached
          in API Gateway for 10mins which would let that OID token still be
          active for 10mins even though the User has globally signed out.




          Here's what I mean by test for the accessToken (I have had success with method #2):



          1.) you could develop a custom authorizer for API Gateway;



          2.) you could perform a check at the start of your lambda functions or on your servers, using:



          const AWS = require('aws-sdk');
          const awsConfig = require('./awsConfig');

          const cognito = new AWS.CognitoIdentityServiceProvider(awsConfig);

          // accessToken provided from API Gateway

          new Promise((resolve, reject) => {
            cognito.getUser({ accessToken }, (errorCallback, response) => {
              if (errorCallback) {
                reject(errorCallback);
          } else {
               resolve(response);
              }
          });
          });


          The errorCallback and response do not matter. If you get an error, the token is invalid. If you don’t, it’s valid.






          share|improve this answer














          The id token, which API Gateway uses to authenticate API calls, stays valid for a while.



          I would test for the access token. It should expire right after you call global sign out.



          The key word is should above. Please see this issue. It’s an on-going struggle to get AWS to implement an immediate revocation. Here’s a relevant quote:




          I worked with AWS Cognito team to get this taken care and got released as a fix through CLI as following.




          aws cognito-identity update-identity-pool --identity-pool-id --identity-pool-name --allow-unauthenticated-identities --cognito-identity-providers ProviderName=,ClientId=,ServerSideTokenCheck=<true|false>



          By setting the ServerSideTokenCheck to true on a Cognito Identity
          Pool, that Identity Pool will check with Cognito User Pools to make
          sure that the user has not been globally signed out or deleted before
          the Identity Pool provides an OIDC token or AWS credentials for the
          user. Now we are running into another issue of this Token being cached
          in API Gateway for 10mins which would let that OID token still be
          active for 10mins even though the User has globally signed out.




          Here's what I mean by test for the accessToken (I have had success with method #2):



          1.) you could develop a custom authorizer for API Gateway;



          2.) you could perform a check at the start of your lambda functions or on your servers, using:



          const AWS = require('aws-sdk');
          const awsConfig = require('./awsConfig');

          const cognito = new AWS.CognitoIdentityServiceProvider(awsConfig);

          // accessToken provided from API Gateway

          new Promise((resolve, reject) => {
            cognito.getUser({ accessToken }, (errorCallback, response) => {
              if (errorCallback) {
                reject(errorCallback);
          } else {
               resolve(response);
              }
          });
          });


          The errorCallback and response do not matter. If you get an error, the token is invalid. If you don’t, it’s valid.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Nov 13 at 4:09

























          answered Nov 9 at 13:37









          twils0

          721314




          721314












          • Thanks for your response. I changed my configuration in api gateway. So, now i can access API using AccessToken not with Id Token. Now, I called globalsignout method. After that I tested with my previous accesstoken to validate my API. Still my token is not expired. Please let me know where I am doing wrong.
            – user3816229
            Nov 12 at 13:13










          • I have used method #2 above in a project, and it has worked. I am less familiar with method #1 implementations. As a test, if possible, I would see if method #2 works on a Lambda function, or on your server. If so, I’ll change my answer. I would just got for method #2. There is a known issue with a delay in access token revocation. I’ll post in my answer above.
            – twils0
            Nov 12 at 13:43


















          • Thanks for your response. I changed my configuration in api gateway. So, now i can access API using AccessToken not with Id Token. Now, I called globalsignout method. After that I tested with my previous accesstoken to validate my API. Still my token is not expired. Please let me know where I am doing wrong.
            – user3816229
            Nov 12 at 13:13










          • I have used method #2 above in a project, and it has worked. I am less familiar with method #1 implementations. As a test, if possible, I would see if method #2 works on a Lambda function, or on your server. If so, I’ll change my answer. I would just got for method #2. There is a known issue with a delay in access token revocation. I’ll post in my answer above.
            – twils0
            Nov 12 at 13:43
















          Thanks for your response. I changed my configuration in api gateway. So, now i can access API using AccessToken not with Id Token. Now, I called globalsignout method. After that I tested with my previous accesstoken to validate my API. Still my token is not expired. Please let me know where I am doing wrong.
          – user3816229
          Nov 12 at 13:13




          Thanks for your response. I changed my configuration in api gateway. So, now i can access API using AccessToken not with Id Token. Now, I called globalsignout method. After that I tested with my previous accesstoken to validate my API. Still my token is not expired. Please let me know where I am doing wrong.
          – user3816229
          Nov 12 at 13:13












          I have used method #2 above in a project, and it has worked. I am less familiar with method #1 implementations. As a test, if possible, I would see if method #2 works on a Lambda function, or on your server. If so, I’ll change my answer. I would just got for method #2. There is a known issue with a delay in access token revocation. I’ll post in my answer above.
          – twils0
          Nov 12 at 13:43




          I have used method #2 above in a project, and it has worked. I am less familiar with method #1 implementations. As a test, if possible, I would see if method #2 works on a Lambda function, or on your server. If so, I’ll change my answer. I would just got for method #2. There is a known issue with a delay in access token revocation. I’ll post in my answer above.
          – twils0
          Nov 12 at 13:43


















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Stack Overflow!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.





          Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


          Please pay close attention to the following guidance:


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53226105%2funable-to-restrict-access-to-aws-api-even-after-calling-globalsignout-method-usi%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          這個網誌中的熱門文章

          Xamarin.form Move up view when keyboard appear

          Post-Redirect-Get with Spring WebFlux and Thymeleaf

          Anylogic : not able to use stopDelay()