By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How to Invalidate Existing ID Tokens of a Deleted Cognito User in API Gateway Authorizer?

0

Hi,

In our mobile/web application, we allow user deletions through a independent web interface. When a user is signed out and deleted from Cognito, I notice that their previously generated ID tokens remain valid and continue to work with the API Gateway Cognito authorizer. Making exisiting sessions in app do the API Call with the ID Token.

Here are the methods we use to sign out and delete the user:

# Sign out the user globally
sign_out_response = cognito_client.admin_user_global_sign_out(
    UserPoolId=USER_POOL_ID,
    Username=username
)
# Delete the user
delete_response = cognito_client.admin_delete_user(
    UserPoolId=USER_POOL_ID,
    Username=username
)

Despite using these methods, the ID tokens generated before the user was signed out and deleted are still accepted by the API Gateway authorizer. How can we ensure that these ID tokens are invalidated immediately upon user deletion?

References:

Topics
ServerlessFront-End Web & MobileNetworking & Content DeliverySecurity, Identity, & Compliance
Tags
Amazon API GatewayAmazon Cognito
Language
English
vikas
asked 9 months ago345 views
1 Answer
1

To invalidate existing ID tokens of a deleted Cognito user in API Gateway Authorizer, you need to configure the API Gateway Authorizer to validate the token against the Cognito User Pool's public keys. This way, when a user is deleted, their tokens will no longer be validated by the User Pool, and the API Gateway Authorizer will reject them.

Here are the steps:

  1. In the Cognito User Pool, navigate to the "App integration" section and make a note of the "Issuer" URL. This URL contains the public keys used to validate JWT tokens.

  2. In the API Gateway Authorizer configuration, select the "TOKEN_SOURCE" as "Authorization" and the "TOKEN VALIDATION" as "validateSignature".

  3. For the "Audience" field, enter your API Gateway API's ID (e.g., "abcdef123").

  4. For the "Issuer" field, enter the "Issuer" URL from the Cognito User Pool noted in step 1.

With this configuration, the API Gateway Authorizer will validate the token's signature against the Cognito User Pool's public keys. When a user is deleted, their tokens will no longer be validated by the User Pool, and the API Gateway Authorizer will reject them.

Note: This approach ensures that deleted users' tokens are immediately invalidated. However, if you want to revoke active sessions for deleted users, you'll need to implement additional logic in your application to handle this case.

profile picture
EXPERT
Giovanni Lauria
answered 9 months ago
  • vikas
    9 months ago

    I noticed that the JWT Option is not available for REST API Endpoint only for HTTP. For REST We have Cognito and Lambda, for HTTP we have JWT and Lambda. We are currently using the Cognito option and expected it to reject the token of a deleted user.

    Edit: I tried to test using HTTP API with --identity-source '$request.header.Authorization' audience client-id-from-cognito and issuer url. Authorizer works but if I delete the perform global signout and delete user the token which was generated can still be used to access.

    Reference: https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-jwt-authorizer.html#http-api-jwt-authorizer.create

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content