- Newest
- Most votes
- Most comments
Does invalidating refresh token invalidates id token?
When you call amplify.auth.signout()
, this particular method is used to sign out the currently authenticated user from the application. When a user signs out, their session is invalidated, and they will need to authenticate again to access any resources or features that require authentication.
You can also sign out users from all devices by performing a global sign-out. This will also invalidate all refresh tokens issued to a user. The user's current access and ID tokens will remain valid on other devices until the refresh token expires (access and ID tokens expire one hour after they are issued).
amplify.auth.signout({ global: true })
Key souces:
Hi,
As described on the AWS documentation, JWT tokens, such as access_token and id_token, are self-contained with a signature and expiration time that was assigned when the token was created.
Therefore, revoked tokens will still be valid if they are verified using any JWT library that only verifies the signature and expiration of the token, which is the most common method.
Relevant content
- asked 2 years ago
- Accepted Answerasked 4 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago