aws cognito invalidate token on logout
Question
I wasn't able to find clarity on the question, but I know JWT tokens are self contained with its own expiration. Typically, a blacklist could contain "expired" tokens and prevent access to a route if the token is listed there.
I wanted to know that if using aws cognito, and calling the logout endpoint, does that actually blacklist the JWT token on aws side? There is an access token and a refresh token, so do both get invalidated or could a user still login with the token until the expiration time in the token is reached?
1 answers
solution1
1 2020-10-05 19:26:27
No it does not. Calling the LogOut endpoint will invalidate any session you had with the Hosted UI/ Oauth endpoints.
Another option is to call globalSignOut [1] and this will invalidate all of the users Access and Refresh tokens (being used against the Cognito API).
However, the JWT tokens are still valid and as you mentioned, are self contained. There is no built in black listing of tokens that your own servers could check, in a scaleable fashion. This is something you would need to implement yourself if desired.
[1] https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GlobalSignOut.html
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.