By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Revoke token API is not returning any exception if same refresh token passed again

0

Hi team,

I am using the revoke token API to revoke the refresh token and it revokes the refresh token as well I can see that I am not able to generate the new access token using that refresh token but I tried to call the revoke token API again with the same refresh token but it didn't throw any error.

I am expecting it should throw an error something like refresh token has already been revoked.

Here is how I am revoking access token:

RevokeTokenRequest revokeTokenRequest = new RevokeTokenRequest();
 revokeTokenRequest.setClientId("client-id");
 revokeTokenRequest.setToken("refresh_token");
 revokeTokenRequest.setClientSecret("client-secret");
awsCognitoIdentityProvider.revokeToken(revokeTokenRequest);
Topics
Security, Identity, & ComplianceJava Development
Tags
Security, Identity, & ComplianceAWS Identity and Access ManagementAmazon CognitoAmazon Cognito User PoolsJava Development
Language
English
rePost-User-6233732
asked a year ago385 views
1 Answer
0

Hello,

In regards to Revoke Token API output, as noted on CLI doc [1] there in no output in response for this call. Basically for response element, if the action is successful, the service sends back an HTTP 200 response with an empty HTTP body. [2]

The current errors account for WAF block, internal error, unauthorized access, invalid parameter, throttling, unsupported operation or token type. [3]

I also ran a quick CLI command run check for the same and found the consistent behavior as per docs reference -

  1. Logged in as the user to get the tokens.
$ aws cognito-idp initiate-auth --client-id 2XXXXXXXXXXXXXXXXr --auth-flow USER_PASSWORD_AUTH --auth-parameters "USERNAME=test1002,PASSWORD=XXXXXXXXX"
{
    "ChallengeParameters": {},
    "AuthenticationResult": {
        "AccessToken": "eyJ....Rhg",
        "ExpiresIn": 3600,
        "TokenType": "Bearer",
        "RefreshToken": "eyJ...vhg",
        "IdToken": "ey...cmg"
    }
}
  1. Used the above refresh token with Revoke token API.
$ aws cognito-idp revoke-token --client-id 2XXXXXXXXXXXXXXXXr --token eyJ...vhg 

No output here.
  1. Called the above API again and noticed the same behavior.
$ aws cognito-idp revoke-token --client-id 2XXXXXXXXXXXXXXXXr --token eyJ...vhg 

No output here.

Additionally, I do understand that you expected it to throw an error. Hence, please feel free to reach out to the Cognito dev team (https://github.com/aws-amplify/amplify-js/issues, and to confirm and rmove any confusion, the previous Cognito repo - https://github.com/amazon-archives/amazon-cognito-identity-js has been merged into the mentioned amplify js repo) to report this as a feature request or you can also create a support ticket with our Premium Support team directly, and we can help in creation of the error feature request on your behalf to the service team for the same.

References:

[1] https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/revoke-token.html#:~:text=is%2060%20seconds.-,Output,-%C2%B6

[2] https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RevokeToken.html#API_RevokeToken_SeeAlso:~:text=Required%3A%20Yes-,Response%20Elements,-If%20the%20action

[3] https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RevokeToken.html#API_RevokeToken_SeeAlso:~:text=empty%20HTTP%20body.-,Errors,-For%20information%20about

profile pictureAWS
SUPPORT ENGINEER
Yash_C
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content