By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Cognito log out issue

0

I am developing a react native mobile app. I want my user to login in one device with once account. If a user tries to login to another mobile device with same account, he should be logout from the first mobile device. but official docs of AWS cognito provide two options either logout or global logout. In global logout it logs user out from device 1 and 2 both. what is expected If a user logs in second mobile device it should automatically be logout from the other one.

Topics
Front-End Web & MobileSecurity, Identity, & Compliance
Tags
Front-End Web & MobileAmazon CognitoAWS Amplify Studio
Language
English
Shaista
asked 2 years ago1984 views
1 Answer
0

Hi,

Thank you for contacting us! I understand that you are developing a react native mobile app and you have a Cognito user pool where you wish to only allow users to be logged in from one device at a time and if a users tries to login from a second device, the first device must be logged out from the user account.

Cognito provides AdminUserGlobalSignOut API [1] that can be used to logout a user from all devices that they are currently logged in, as an administrator. It also invalidates all refresh tokens issued to a user. The user's current access and ID tokens remain valid until their expiry. By default, access and ID tokens expire one hour after they're issued. You can use this API in a PreAuthentication Lambda trigger to logout from all the user devices before accepting a new login request from a new user device. Cognito invokes this trigger when a user attempts to sign in, allowing custom validation to accept or deny the authentication request. Kindly check out this documentation [2] for more details on Pre-authenticated Lambda trigger.

Alternatively, Cognito also has a feature to remember devices. You can use this feature to limit the number of devices that the user can be logged in at a time.

To enable this use case, we have included an extra parameter in our inputs to our post-authentication AWS Lambda function: newDeviceUsed. It is a Boolean flag that is only true if you have device remembering turned on and if the device being used to authenticate is a new device.

With this small addition, you can set a maximum for the number of devices that can be linked to a user’s account. Within your post-authentication Lambda hook, you can call the AdminListDevices API [3] to count the number of devices currently linked if the newDeviceUsed flag is set to true. If it is over your determined limit, you fail the call, which then fails the authentication. Kindly checkout this documentation for more details [4].

I hope you find the above information useful, please feel free to reach out to us with any further queries and we'll be glad to assist!

References

AWS
SUPPORT ENGINEER
Sumukhi_P
answered 2 years ago
  • Shaista
    2 years ago

    Thanks for the response. I like the way out of remember device. But we suppose the device on which is user logged in and it got damaged. now the user is trying to login in another mobile but as he did not logged out from the device 1, cognito will never let him log in to another device as this AdminListDevices API will return count.

    Is there any cognito client code to forcefully expire the access and ID tokens?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content