1 Answer
- Newest
- Most votes
- Most comments
0
Thank you for bringing this important issue to our attention. You're correct that silently re-authenticating a user without requiring validation from the identity provider could lead to security vulnerabilities.
A few things to note here:
- Google Workspace does not support SAML SLO, so Cognito's
/logout
endpoint alone cannot fully sign the user out across both systems. [1] - When a user logs out of Cognito, it only clears the session cookie, but ID tokens remain valid until expiration.
- Your solution of calling
/oauth2/revoke
before logout is a good workaround, as it invalidates refresh tokens stored in Cognito.
A few other things:
- Consider calling
/oauth2/revoke
on frontend logout in addition to backend calls. - Set short ID token expiration times (e.g. 5 minutes) to reduce risk window if tokens are stolen.
- Add MFA for high-security applications to prevent token reuse even if stolen.
- Redirect to identity provider logout page in addition to Cognito logout.
Docs
[1]: SAML sign-out flow
answered a month ago
Relevant content
- asked 8 months ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 9 months ago
Thanks Ibrahim. So it sounds like this id token that persists in Cognito is probably the issue; it's avoiding re-authenticating with the Idp on
/login
because that token persists. Is that a good, secure design decision? Can we perhaps add a configuration option to AWS Cognito to revoke this id token on logout? While my work-around is sufficient for the moment, I'd feel better if there wasn't the possibility for someone to pick-up a user's session after/logout
without them having to authenticate.