Unable to restrict access to AWS API even after calling globalsignout Method using javascript
up vote
0
down vote
favorite
I am using AWS API gateway for API's and cognito UserPool's for security. After Authenticating the user we will get tokens and I am using that token to authorise my API.
Now, I am trying to enable signout to cognito authorised users using javascript. Used the below code.
if (cognitoUser != null) {
cognitoUser.globalSignOut({
onFailure: e => console.log(e),
onSuccess: r =>
console.log('Logout success: ' + r)
})}
I am getting response as success but still I am able to access my API with the previous tokens.Please suggest me how to inactivate all the tokens issued to that cognito user.
javascript amazon-web-services aws-api-gateway amazon-cognito
add a comment |
up vote
0
down vote
favorite
I am using AWS API gateway for API's and cognito UserPool's for security. After Authenticating the user we will get tokens and I am using that token to authorise my API.
Now, I am trying to enable signout to cognito authorised users using javascript. Used the below code.
if (cognitoUser != null) {
cognitoUser.globalSignOut({
onFailure: e => console.log(e),
onSuccess: r =>
console.log('Logout success: ' + r)
})}
I am getting response as success but still I am able to access my API with the previous tokens.Please suggest me how to inactivate all the tokens issued to that cognito user.
javascript amazon-web-services aws-api-gateway amazon-cognito
add a comment |
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I am using AWS API gateway for API's and cognito UserPool's for security. After Authenticating the user we will get tokens and I am using that token to authorise my API.
Now, I am trying to enable signout to cognito authorised users using javascript. Used the below code.
if (cognitoUser != null) {
cognitoUser.globalSignOut({
onFailure: e => console.log(e),
onSuccess: r =>
console.log('Logout success: ' + r)
})}
I am getting response as success but still I am able to access my API with the previous tokens.Please suggest me how to inactivate all the tokens issued to that cognito user.
javascript amazon-web-services aws-api-gateway amazon-cognito
I am using AWS API gateway for API's and cognito UserPool's for security. After Authenticating the user we will get tokens and I am using that token to authorise my API.
Now, I am trying to enable signout to cognito authorised users using javascript. Used the below code.
if (cognitoUser != null) {
cognitoUser.globalSignOut({
onFailure: e => console.log(e),
onSuccess: r =>
console.log('Logout success: ' + r)
})}
I am getting response as success but still I am able to access my API with the previous tokens.Please suggest me how to inactivate all the tokens issued to that cognito user.
javascript amazon-web-services aws-api-gateway amazon-cognito
javascript amazon-web-services aws-api-gateway amazon-cognito
asked Nov 9 at 12:55
user3816229
32
32
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
up vote
2
down vote
The id token, which API Gateway uses to authenticate API calls, stays valid for a while.
I would test for the access token. It should expire right after you call global sign out.
The key word is should above. Please see this issue. It’s an on-going struggle to get AWS to implement an immediate revocation. Here’s a relevant quote:
I worked with AWS Cognito team to get this taken care and got released as a fix through CLI as following.
aws cognito-identity update-identity-pool --identity-pool-id --identity-pool-name --allow-unauthenticated-identities --cognito-identity-providers ProviderName=,ClientId=,ServerSideTokenCheck=<true|false>
By setting the ServerSideTokenCheck to true on a Cognito Identity
Pool, that Identity Pool will check with Cognito User Pools to make
sure that the user has not been globally signed out or deleted before
the Identity Pool provides an OIDC token or AWS credentials for the
user. Now we are running into another issue of this Token being cached
in API Gateway for 10mins which would let that OID token still be
active for 10mins even though the User has globally signed out.
Here's what I mean by test for the accessToken (I have had success with method #2):
1.) you could develop a custom authorizer for API Gateway;
2.) you could perform a check at the start of your lambda functions or on your servers, using:
const AWS = require('aws-sdk');
const awsConfig = require('./awsConfig');
const cognito = new AWS.CognitoIdentityServiceProvider(awsConfig);
// accessToken provided from API Gateway
new Promise((resolve, reject) => {
cognito.getUser({ accessToken }, (errorCallback, response) => {
if (errorCallback) {
reject(errorCallback);
} else {
resolve(response);
}
});
});
The errorCallback and response do not matter. If you get an error, the token is invalid. If you don’t, it’s valid.
Thanks for your response. I changed my configuration in api gateway. So, now i can access API using AccessToken not with Id Token. Now, I called globalsignout method. After that I tested with my previous accesstoken to validate my API. Still my token is not expired. Please let me know where I am doing wrong.
– user3816229
Nov 12 at 13:13
I have used method #2 above in a project, and it has worked. I am less familiar with method #1 implementations. As a test, if possible, I would see if method #2 works on a Lambda function, or on your server. If so, I’ll change my answer. I would just got for method #2. There is a known issue with a delay in access token revocation. I’ll post in my answer above.
– twils0
Nov 12 at 13:43
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53226105%2funable-to-restrict-access-to-aws-api-even-after-calling-globalsignout-method-usi%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
2
down vote
The id token, which API Gateway uses to authenticate API calls, stays valid for a while.
I would test for the access token. It should expire right after you call global sign out.
The key word is should above. Please see this issue. It’s an on-going struggle to get AWS to implement an immediate revocation. Here’s a relevant quote:
I worked with AWS Cognito team to get this taken care and got released as a fix through CLI as following.
aws cognito-identity update-identity-pool --identity-pool-id --identity-pool-name --allow-unauthenticated-identities --cognito-identity-providers ProviderName=,ClientId=,ServerSideTokenCheck=<true|false>
By setting the ServerSideTokenCheck to true on a Cognito Identity
Pool, that Identity Pool will check with Cognito User Pools to make
sure that the user has not been globally signed out or deleted before
the Identity Pool provides an OIDC token or AWS credentials for the
user. Now we are running into another issue of this Token being cached
in API Gateway for 10mins which would let that OID token still be
active for 10mins even though the User has globally signed out.
Here's what I mean by test for the accessToken (I have had success with method #2):
1.) you could develop a custom authorizer for API Gateway;
2.) you could perform a check at the start of your lambda functions or on your servers, using:
const AWS = require('aws-sdk');
const awsConfig = require('./awsConfig');
const cognito = new AWS.CognitoIdentityServiceProvider(awsConfig);
// accessToken provided from API Gateway
new Promise((resolve, reject) => {
cognito.getUser({ accessToken }, (errorCallback, response) => {
if (errorCallback) {
reject(errorCallback);
} else {
resolve(response);
}
});
});
The errorCallback and response do not matter. If you get an error, the token is invalid. If you don’t, it’s valid.
Thanks for your response. I changed my configuration in api gateway. So, now i can access API using AccessToken not with Id Token. Now, I called globalsignout method. After that I tested with my previous accesstoken to validate my API. Still my token is not expired. Please let me know where I am doing wrong.
– user3816229
Nov 12 at 13:13
I have used method #2 above in a project, and it has worked. I am less familiar with method #1 implementations. As a test, if possible, I would see if method #2 works on a Lambda function, or on your server. If so, I’ll change my answer. I would just got for method #2. There is a known issue with a delay in access token revocation. I’ll post in my answer above.
– twils0
Nov 12 at 13:43
add a comment |
up vote
2
down vote
The id token, which API Gateway uses to authenticate API calls, stays valid for a while.
I would test for the access token. It should expire right after you call global sign out.
The key word is should above. Please see this issue. It’s an on-going struggle to get AWS to implement an immediate revocation. Here’s a relevant quote:
I worked with AWS Cognito team to get this taken care and got released as a fix through CLI as following.
aws cognito-identity update-identity-pool --identity-pool-id --identity-pool-name --allow-unauthenticated-identities --cognito-identity-providers ProviderName=,ClientId=,ServerSideTokenCheck=<true|false>
By setting the ServerSideTokenCheck to true on a Cognito Identity
Pool, that Identity Pool will check with Cognito User Pools to make
sure that the user has not been globally signed out or deleted before
the Identity Pool provides an OIDC token or AWS credentials for the
user. Now we are running into another issue of this Token being cached
in API Gateway for 10mins which would let that OID token still be
active for 10mins even though the User has globally signed out.
Here's what I mean by test for the accessToken (I have had success with method #2):
1.) you could develop a custom authorizer for API Gateway;
2.) you could perform a check at the start of your lambda functions or on your servers, using:
const AWS = require('aws-sdk');
const awsConfig = require('./awsConfig');
const cognito = new AWS.CognitoIdentityServiceProvider(awsConfig);
// accessToken provided from API Gateway
new Promise((resolve, reject) => {
cognito.getUser({ accessToken }, (errorCallback, response) => {
if (errorCallback) {
reject(errorCallback);
} else {
resolve(response);
}
});
});
The errorCallback and response do not matter. If you get an error, the token is invalid. If you don’t, it’s valid.
Thanks for your response. I changed my configuration in api gateway. So, now i can access API using AccessToken not with Id Token. Now, I called globalsignout method. After that I tested with my previous accesstoken to validate my API. Still my token is not expired. Please let me know where I am doing wrong.
– user3816229
Nov 12 at 13:13
I have used method #2 above in a project, and it has worked. I am less familiar with method #1 implementations. As a test, if possible, I would see if method #2 works on a Lambda function, or on your server. If so, I’ll change my answer. I would just got for method #2. There is a known issue with a delay in access token revocation. I’ll post in my answer above.
– twils0
Nov 12 at 13:43
add a comment |
up vote
2
down vote
up vote
2
down vote
The id token, which API Gateway uses to authenticate API calls, stays valid for a while.
I would test for the access token. It should expire right after you call global sign out.
The key word is should above. Please see this issue. It’s an on-going struggle to get AWS to implement an immediate revocation. Here’s a relevant quote:
I worked with AWS Cognito team to get this taken care and got released as a fix through CLI as following.
aws cognito-identity update-identity-pool --identity-pool-id --identity-pool-name --allow-unauthenticated-identities --cognito-identity-providers ProviderName=,ClientId=,ServerSideTokenCheck=<true|false>
By setting the ServerSideTokenCheck to true on a Cognito Identity
Pool, that Identity Pool will check with Cognito User Pools to make
sure that the user has not been globally signed out or deleted before
the Identity Pool provides an OIDC token or AWS credentials for the
user. Now we are running into another issue of this Token being cached
in API Gateway for 10mins which would let that OID token still be
active for 10mins even though the User has globally signed out.
Here's what I mean by test for the accessToken (I have had success with method #2):
1.) you could develop a custom authorizer for API Gateway;
2.) you could perform a check at the start of your lambda functions or on your servers, using:
const AWS = require('aws-sdk');
const awsConfig = require('./awsConfig');
const cognito = new AWS.CognitoIdentityServiceProvider(awsConfig);
// accessToken provided from API Gateway
new Promise((resolve, reject) => {
cognito.getUser({ accessToken }, (errorCallback, response) => {
if (errorCallback) {
reject(errorCallback);
} else {
resolve(response);
}
});
});
The errorCallback and response do not matter. If you get an error, the token is invalid. If you don’t, it’s valid.
The id token, which API Gateway uses to authenticate API calls, stays valid for a while.
I would test for the access token. It should expire right after you call global sign out.
The key word is should above. Please see this issue. It’s an on-going struggle to get AWS to implement an immediate revocation. Here’s a relevant quote:
I worked with AWS Cognito team to get this taken care and got released as a fix through CLI as following.
aws cognito-identity update-identity-pool --identity-pool-id --identity-pool-name --allow-unauthenticated-identities --cognito-identity-providers ProviderName=,ClientId=,ServerSideTokenCheck=<true|false>
By setting the ServerSideTokenCheck to true on a Cognito Identity
Pool, that Identity Pool will check with Cognito User Pools to make
sure that the user has not been globally signed out or deleted before
the Identity Pool provides an OIDC token or AWS credentials for the
user. Now we are running into another issue of this Token being cached
in API Gateway for 10mins which would let that OID token still be
active for 10mins even though the User has globally signed out.
Here's what I mean by test for the accessToken (I have had success with method #2):
1.) you could develop a custom authorizer for API Gateway;
2.) you could perform a check at the start of your lambda functions or on your servers, using:
const AWS = require('aws-sdk');
const awsConfig = require('./awsConfig');
const cognito = new AWS.CognitoIdentityServiceProvider(awsConfig);
// accessToken provided from API Gateway
new Promise((resolve, reject) => {
cognito.getUser({ accessToken }, (errorCallback, response) => {
if (errorCallback) {
reject(errorCallback);
} else {
resolve(response);
}
});
});
The errorCallback and response do not matter. If you get an error, the token is invalid. If you don’t, it’s valid.
edited Nov 13 at 4:09
answered Nov 9 at 13:37
twils0
721314
721314
Thanks for your response. I changed my configuration in api gateway. So, now i can access API using AccessToken not with Id Token. Now, I called globalsignout method. After that I tested with my previous accesstoken to validate my API. Still my token is not expired. Please let me know where I am doing wrong.
– user3816229
Nov 12 at 13:13
I have used method #2 above in a project, and it has worked. I am less familiar with method #1 implementations. As a test, if possible, I would see if method #2 works on a Lambda function, or on your server. If so, I’ll change my answer. I would just got for method #2. There is a known issue with a delay in access token revocation. I’ll post in my answer above.
– twils0
Nov 12 at 13:43
add a comment |
Thanks for your response. I changed my configuration in api gateway. So, now i can access API using AccessToken not with Id Token. Now, I called globalsignout method. After that I tested with my previous accesstoken to validate my API. Still my token is not expired. Please let me know where I am doing wrong.
– user3816229
Nov 12 at 13:13
I have used method #2 above in a project, and it has worked. I am less familiar with method #1 implementations. As a test, if possible, I would see if method #2 works on a Lambda function, or on your server. If so, I’ll change my answer. I would just got for method #2. There is a known issue with a delay in access token revocation. I’ll post in my answer above.
– twils0
Nov 12 at 13:43
Thanks for your response. I changed my configuration in api gateway. So, now i can access API using AccessToken not with Id Token. Now, I called globalsignout method. After that I tested with my previous accesstoken to validate my API. Still my token is not expired. Please let me know where I am doing wrong.
– user3816229
Nov 12 at 13:13
Thanks for your response. I changed my configuration in api gateway. So, now i can access API using AccessToken not with Id Token. Now, I called globalsignout method. After that I tested with my previous accesstoken to validate my API. Still my token is not expired. Please let me know where I am doing wrong.
– user3816229
Nov 12 at 13:13
I have used method #2 above in a project, and it has worked. I am less familiar with method #1 implementations. As a test, if possible, I would see if method #2 works on a Lambda function, or on your server. If so, I’ll change my answer. I would just got for method #2. There is a known issue with a delay in access token revocation. I’ll post in my answer above.
– twils0
Nov 12 at 13:43
I have used method #2 above in a project, and it has worked. I am less familiar with method #1 implementations. As a test, if possible, I would see if method #2 works on a Lambda function, or on your server. If so, I’ll change my answer. I would just got for method #2. There is a known issue with a delay in access token revocation. I’ll post in my answer above.
– twils0
Nov 12 at 13:43
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53226105%2funable-to-restrict-access-to-aws-api-even-after-calling-globalsignout-method-usi%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown