Does Cognito's RevokeToken API call invalidate Access Tokens and/or Id Tokens and/or Refresh Tokens?
The documentation for Amazon Cognito RevokeToken says:
Revokes all of the access tokens generated by the specified refresh token. After the token is revoked, you can't use the revoked token to access Amazon Cognito authenticated APIs. (emphasis added)
The documentation also says:
{
"ClientId": "string",
"ClientSecret": "string",
"Token": "string"
}
...
The refresh token that you want to revoke.
Does this mean that the Refresh Token is revoked? Or that the Access Tokens and/or ID Tokens generated by a specific Refresh Token are revoked?
- Newest
- Most votes
- Most comments
Suppose an user has logged in at 1 AM and Cognito has returned access, ID and refresh tokens after the user sign-in. If you call the RevokeToken API with that refresh token, then the initially issued access and ID tokens, the refresh token, and all access and ID tokens which were issued using that refresh token will be revoked.
Note: Only Cognito service is aware of the token revocation when you revoke token using RevokeToken API. However, your resource server will treat the token as valid until the token's expiry time breach. You may call GetUser API of Cognito to check whether a token is revoked or not. However, please consider the limit per second on number of GetUser API [1].
Relevant content
- asked 2 years ago
- asked 2 years ago
- asked 5 years ago
- asked 10 months ago
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
