Id token (which is used as bearer token) does not get expire after user is logged out.

Question

After user logs out of the system the bearer token is not invalidated automatically. I can still use the token to access the resources. For sign out I'm using amplify auth.signout(). Does invalidating refresh token invalidates id token? is there any way to invalidate id token. jwt.verify() is still passing the request after I tried invalidating refresh token. Any solution. I dont want to use global signout.

Answer

####  Does invalidating refresh token invalidates id token? 
When you call `amplify.auth.signout()`, this particular method is used to sign out the currently authenticated user from the application. When a user signs out, their session is invalidated, and they will need to authenticate again to access any resources or features that require authentication.

> You can also sign out users from all devices by performing a global sign-out. This will also invalidate all refresh tokens issued to a user. The user's current access and ID tokens will remain valid on other devices until the refresh token expires (access and ID tokens expire one hour after they are issued).

```javascript
amplify.auth.signout({ global: true })
```

Key souces:
- [Sign-out](https://docs.amplify.aws/javascript/build-a-backend/auth/enable-sign-up/#sign-out)

Answer

Hi,

As described on the [AWS documentation](https://docs.aws.amazon.com/cognito/latest/developerguide/token-revocation.html), JWT tokens, such as access_token and id_token, are self-contained with a signature and expiration time that was assigned when the token was created.

Therefore, revoked tokens will still be valid if they are verified using any JWT library that only verifies the signature and expiration of the token, which is the most common method.

Id token (which is used as bearer token) does not get expire after user is logged out.

Does invalidating refresh token invalidates id token?

Relevant content