How can I revoke tokens created through Cognito oauth/token url?

Question

We have an application implemented on api-gateway and lambda, the authentication is carried by tokens generated on Cognito, Cognito has the Client credentials OAuth Flow with custom scopes. We are using the oauth/token url to generate access tokens, we tried to create refresh tokens, but the oauth/authorize isn't working, because the Client credential flow restrict the Authorization code grant.

On the middle of the process we need these tokens to be revoked, but the oauth/revoke needs the refresh token that we can't generate because of the chosen flow, How can we can revoke those tokens?

Answer

Hi,

Currently it is not possible to revoke an access token that is issued using client-credentials flow.

In a token-based authentication system like Cognito, tokens are considered valid as long as they have valid signature and they haven't expired. When these tokens are passed for authorization to back-end (like API Gateway), tokens are validated remotely by verifying its signature and validity, this remote verification doesn't involve any calls to the issuer of the token (cognito). Revoking a token on the authentication server will not invalidate the already issued token and back-end systems that verify this token remotely will continue to accept it.

In your case, if you want to deny access to a token before it is expired, you will need to maintain a deny-list table in DynamoDB for example and if you want to deny access to the token you store its unique identifier (jti claim) in this table and check this table during authorization to make sure that token hasn't been denied access.

How can I revoke tokens created through Cognito oauth/token url?

Relevant content