are federated IDPs consulted on token refresh via cognito user pools?

As I understand it, when a user logs into a cognito user pool via federated IDP, the access token and refresh tokens are managed exclusively by cognito, so I can integrate with a single IDP and let cognito handle any details of the federated auth. This is exactly what I want, but I'm wondering if cognito is managing any corresponding refresh token for the federated IDP and checking in when a corresponding cognito token is refreshed. I'd like to be able to ensure that if the federated authentication is no longer valid then the cognito refresh will fail and wondering if cognito manages any of this automatically or if I need to integrate with the federated IDP and invalidate the corresponding user myself.

トピック

セキュリティ、アイデンティティ、コンプライアンス

タグ

Amazon Cognito ユーザープール

言語

English

emattheis

質問済み 2年前1005ビュー

1回答

新しい順
投票が多い順
コメントが多い順

これらの回答は役に立ちましたか？コミュニティがあなたの知識を活用できるように、正解に賛成票を投じてください。

承認された回答

Hi,

Cognito doesn't validate with external IdP during refresh token flow, if the refresh token that is issued by Cognito is still valid, end-user can continue to get new access and id tokens from Cognito without needing to re-authenticate with the external IdP.

If you have a use-case that requires validation with external IdP then I'd recommend using a short-lived refresh token (1 hour is the shortest TTL for refresh token) and this will force sign-in when token expires.

エキスパート

Mahmoud Matouk

回答済み 2年前

エキスパート

Giovanni Lauria

レビュー済み 1ヶ月前

emattheis
2年前
Thanks! That's what I assumed. In my case, I'd like to keep the long-lived refresh tokens for user convenience so I'm looking at ways to know if a federated identity has changed. Apple and Google both have some options:

https://developer.apple.com/documentation/sign_in_with_apple/processing_changes_for_sign_in_with_apple_accounts https://developers.google.com/identity/protocols/risc

are federated IDPs consulted on token refresh via cognito user pools?

関連するコンテンツ