How do I revoke JWT tokens in Amazon Cognito using the AWS CLI?
4 minute read
I want to revoke JSON Web Tokens (JWTs) tokens that are issued in an Amazon Cognito user pool.
Amazon Cognito refresh tokens expire 30 days after a user signs in to a user pool. You can set the app client refresh token expiration between 60 minutes and 10 years. For more information, see Using the refresh token.
You can also revoke refresh tokens in real time. This makes sure that refresh tokens can't generate additional access tokens. All previously issued access tokens by the refresh token aren't valid.
When you revoke refresh tokens, this has no effect on other refresh tokens that are associated with parallel user sessions.
To revoke a JWT token, refer to the relevant instructions based on your app client.
Run the AWS CLI command admin-initiate-auth to initiate the authentication flow as an administrator. This gives you the ID, access token, and refresh token. This command looks similar to the following:
You receive an output that the refresh tokens are revoked:
Error: An error occurred (NotAuthorizedException) when calling the AdminInitiateAuth operation: Refresh Token has been revoked
New added claims
Two new claims, origin_jti and jti, are added in the access and ID token, increasing in the size of the tokens in the app client.
The jti claim provides a unique identifier for the JWT. The identifier value must be assigned so that the same value can't be assigned to a different data object. If the app client uses multiple issuers, then use different values to prevent collisions.
Note: The jti claim is optional. For more information, see RFC-7519) on the Internet Engineering Task Force website.