1 réponse
- Le plus récent
- Le plus de votes
- La plupart des commentaires
0
Thank you for bringing this important issue to our attention. You're correct that silently re-authenticating a user without requiring validation from the identity provider could lead to security vulnerabilities.
A few things to note here:
- Google Workspace does not support SAML SLO, so Cognito's
/logout
endpoint alone cannot fully sign the user out across both systems. [1] - When a user logs out of Cognito, it only clears the session cookie, but ID tokens remain valid until expiration.
- Your solution of calling
/oauth2/revoke
before logout is a good workaround, as it invalidates refresh tokens stored in Cognito.
A few other things:
- Consider calling
/oauth2/revoke
on frontend logout in addition to backend calls. - Set short ID token expiration times (e.g. 5 minutes) to reduce risk window if tokens are stolen.
- Add MFA for high-security applications to prevent token reuse even if stolen.
- Redirect to identity provider logout page in addition to Cognito logout.
Docs
[1]: SAML sign-out flow
répondu il y a 2 mois
Contenus pertinents
- demandé il y a un an
- Réponse acceptéedemandé il y a un an
- demandé il y a un an
- AWS OFFICIELA mis à jour il y a 2 ans
- AWS OFFICIELA mis à jour il y a 2 ans
- AWS OFFICIELA mis à jour il y a 10 mois
Thanks Ibrahim. So it sounds like this id token that persists in Cognito is probably the issue; it's avoiding re-authenticating with the Idp on
/login
because that token persists. Is that a good, secure design decision? Can we perhaps add a configuration option to AWS Cognito to revoke this id token on logout? While my work-around is sufficient for the moment, I'd feel better if there wasn't the possibility for someone to pick-up a user's session after/logout
without them having to authenticate.