Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

are federated IDPs consulted on token refresh via cognito user pools?

0

As I understand it, when a user logs into a cognito user pool via federated IDP, the access token and refresh tokens are managed exclusively by cognito, so I can integrate with a single IDP and let cognito handle any details of the federated auth. This is exactly what I want, but I'm wondering if cognito is managing any corresponding refresh token for the federated IDP and checking in when a corresponding cognito token is refreshed. I'd like to be able to ensure that if the federated authentication is no longer valid then the cognito refresh will fail and wondering if cognito manages any of this automatically or if I need to integrate with the federated IDP and invalidate the corresponding user myself.

Themen
Sicherheit, Identität & Konformität
Tags
Amazon Cognito-Benutzergruppen
Sprache
English
emattheis
gefragt vor 2 Jahren1006 Aufrufe
1 Antwort
0
Akzeptierte Antwort

Hi,

Cognito doesn't validate with external IdP during refresh token flow, if the refresh token that is issued by Cognito is still valid, end-user can continue to get new access and id tokens from Cognito without needing to re-authenticate with the external IdP.

If you have a use-case that requires validation with external IdP then I'd recommend using a short-lived refresh token (1 hour is the shortest TTL for refresh token) and this will force sign-in when token expires.

AWS
EXPERTE
Mahmoud Matouk
beantwortet vor 2 Jahren
profile picture
EXPERTE
Giovanni Lauria
überprüft vor einem Monat

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt