By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

API gateway accepting revoked access tokens from header

0

I have a lambda being invoked by API gateway. The endpoint is protected with Cognito access token. The issue is, I have noticed that even a revoked access token is being accepted by the endpoint which shouldn't be the caser. How can I overcome this situation?

Topics
ServerlessComputeFront-End Web & MobileNetworking & Content Delivery
Tags
ServerlessAWS LambdaAmazon API Gateway
Language
English
iamarjunchandra
asked 10 months ago344 views
2 Answers
1

API Gateway allows access based on the information contained in the token. If you revoke the token in Cognito but the expiry of the token is still in the future then access will still be allowed by API Gateway - for performance it doesn't check with Cognito to see if every token is revoked; it's relying on the information that has been passed with the token.

One way to solve this is to use very short-lived tokens that are refreshed by the client application on a regular basis. That way revoked tokens are not valid for very long.

Another way would be to use Lambda Authorizer which could check to see if each token passed to API Gateway has been revoked or not. It could do this by checking with Cognito; or some other data source such as a DynamoDB table. However, this adds delay and cost to each API call.

profile pictureAWS
EXPERT
Brettski-AWS
answered 10 months ago
0

Do you have cacheing enabled for the token? This page talks about how to enable. You should check if you have it enabled and look at the TTL.

https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-caching-tokens.html

profile pictureAWS
EXPERT
iBehr
answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content