Cognito: Make auth tokens validity dependent on user's activity

1

In our web app we use Cognito for user authentication, specifically a User Pool Client with the Amplify JavaScript client.

We would like to make sure that as soon as the user is inactive for let's say more than two hours, they get logged out automatically (token should expire).

With "user activity" I mean "the front-end making requests to the backend". I'm aware that in a case where the user is actively using the application but the front-end doesn't make requests to the backend, there is no chance for the backend to detect that the user is "active" - hence I'll take care that some communication will happen in such a case to fulfill this definition of activity.

While we could implement this in the front-end, this doesn't feel right from a security perspective. The mechanism should be implemented in the backend.

But I don't see an option in the Cognito User Pool Client token validity settings which can be used to implement this mechanism. If I would set the refresh token validity to 2 hours, this would also mean that when the user is active for 2 hours, they will also be logged out (token gets invalid).

This sounds like a very common feature.

What is the recommended way to implement this with AWS Cognito? Is even some built-in approach which I am overlooking?

asked 2 years ago212 views
1 Answer
0

Hi there,

I understand that you would like to implement an automatic logout trigger due to user inactivity.

While there is no direct way to do this in Cognito, you can trigger that response through an API call passed into Cognito once the user hits the inactivity time limit. Doing this will revoke the user's refresh token which will cause the user to sign in again.

More information on revoking refresh tokens can be found below: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-refresh-token.html https://docs.aws.amazon.com/cognito/latest/developerguide/token-revocation.html

You can use the following Cognito User Pools API operation: AdminUserGlobalSignOut.

AdminUserGlobalSignOut can sign out any user in the user pool. It must be called by the administrator application with AWS developer credentials. More information about this API call can be found here: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUserGlobalSignOut.html

You can use a Lambda function to keep track of user inactivity. When the API operation is called, you can redirect them to the Logout endpoint where Cognito will clear the session cookie. This prevents the user from reauthenticating with the same cookie. Once the cookie has been cleared, the user must reauthenticate for a new token.

To do this:

  1. Create the Lambda function. You can check out this gitHub for assistance: https://github.com/aws-amplify/amplify-js/issues/2384
  2. In the Amazon Cognito console, choose your user pool.
  3. Choose "Add a Lambda trigger". Keep in mind that you will need to Modify IAM credentials to authorize the requests (don't forget to grant yourself the IAM permission in a policy as well).
  4. In the Category section, find Post Authentication and select "Assign Lambda function". More information about Post Authentication can be found here: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-post-authentication.html
  5. Find the function name and click "Save Changes".

Additional information on this process can be found here: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html

Hope this helps!

AWS
answered 7 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions