Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

AdminDisable User doesn't seem to disable the previously issued access token

0

Hi, I am using AdminDisable User API to disable a user account, on repetitive failures to login. The documentation here https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminDisableUser.html mentions that the tokens will be revoked on calling this API. Does this process revoke all previously issued access tokens and refresh tokens? I doesn't seem to do that.

Topics
Security, Identity, & Compliance
Tags
Amazon CognitoAmazon Cognito User PoolsSecurity, Identity, & Compliance
Language
English
asked 15 days ago27 views
1 Answer
0

Calling AdminDisableUser in Amazon Cognito does not immediately revoke all previously issued access tokens. It prevents the user from authenticating again and invalidates refresh tokens going forward, but any already issued access tokens remain valid until they expire. To actively revoke tokens in real time, you may consider using Cognito token revocation features (e.g., RevokeToken API) with token revocation enabled on your app client.

https://docs.aws.amazon.com/cognito/latest/developerguide/token-revocation.html

https://docs.aws.amazon.com/cognito/latest/developerguide/token-revocation.html

EXPERT
answered 14 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content