Access Cognito User From Different Region

Question

I have an existing API in us-east-2 saving to a us-east-2 Cognito Pool. I migrated the API and we're now on us-east-1. I have noticed the following:

1. Old API can still create/login new/existing users fine.
2. New API can only create new users and login those users. Cannot login with existing users due to: `An error occurred (NotAuthorizedException) when calling the GetUser operation: Access Token has been revoked`
3. Old API can login with users created with new API.
4. New and old API are saving users to the same Cognito pool

I'm confused why the old API on us-east-2 can access the users created by the new API on us-east-1 but the inverse fails. Also, why the new API can create/login new users without an issue, but can't do that with existing users?

Just looking to confirm my issue is regional specific or something else?

Answer

Verify that the API is using the correct region-specific endpoint for Cognito. Each AWS region has its own endpoint, and if your API is pointing to the wrong regional endpoint, it could cause authorization issues.
The error message "Access Token has been revoked" indicates an issue with token management. Investigate how tokens are being handled and revoked in your system. There might be a discrepancy in how tokens are being managed between the two APIs.
Check if there are any lifecycle events or triggers in your Cognito setup that might be revoking tokens unexpectedly when accessed from the new region.

Access Cognito User From Different Region

Contenido relevante