By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

global signout issue

0

When awaiting on a promise as a result of adminuserglobalsignout the promise seems to return but the data contains nothing.

The next call after signout is to authenticate the user. A correct accessToken is returned but its already revoked which makes me think the promise is not awaiting correctly and the new credentials are getting signed out by the previous call which is still running.

We are using globalsignout to prevent users from having multiple sessions so the workflow is along lines of

authenticate -> success -> signout (to kill any other sessions) -> authenticate -> success -> return token

I have updated my lambda package to include the latest sdk version 2.469.0 and no improvement.

Sometimes the timing must be OK as the returned credentials are still valid and the token can be used.

In BOTH cases there appears to be zero data returned from the AWS call

section of lambda code that calls the signout method in the User library

try {

    signOutResult = await User.globalSignOut(userId, process.env.COGNITO_POOL);

} catch (err) {

    log.error("AWS Global Signout Error: " + JSON.stringify(err));
    responseBody = Helper.buildCORSResponse(502, JSON.stringify({ message: err }));

    return callback(null, responseBody);

}

globalsignout code in User library:

return new Promise((resolve, reject) => {

    log.info(`globalSignOut: Signing ${Username} out from all devices in pool ${UserPoolId}`);

    const signOutRequest = new AWS.CognitoIdentityServiceProvider({ apiVersion: "2016-04-18" }).adminUserGlobalSignOut({ Username, UserPoolId });
    const signOutPromise = signOutRequest.promise();

    signOutPromise.
        then((data) => {

            log.debug("globalSignOut: Cognito SignOut Success: " + JSON.stringify(data));
            resolve(data);

        }).catch((err) => {

            log.error("globalSignOut: Cognito SignOut Error: " + err);
            reject(err);

        });

});
}

In every call we reach the resolve with no issue and then we carry on to authenticate the user again.

    log.debug("globalSignOut: Cognito SignOut Success: " + JSON.stringify(data));
    resolve(data);

Does anyone see any issues that could be causing this? I've tried a few ways to specify the promise and an using same format that works fine for other services and waits the promise of the result before code execution continues.

All advice greatly appreciated

UPDATE - Adding a sleep function prior to resolve seems to work perfectly because now every token returned is valid. Something must be up with how the AWS method is returning to my code to early or something as I believe I am correctly waiting on the expected promise from AWS.

Topics
Security, Identity, & Compliance
Tags
Amazon Cognito
Language
English
Mark Lloyd
asked 5 years ago706 views
1 Answer
0

I got an update from AWS Support on this behavior in case anyone else finds this issue. I can confirm that adding a small delay before re-authenticating the user after global signout works fine.

Thank you for getting back to us.

In order to troubleshoot this issue, I tried to replicate it on my end by testing the below mentioned flow (as provided by you in the ) :

Authenticate user —> Global Sign Out —> Authenticate again —-> Check the validity of the new token

I wrote a python code to implement the above flow. In the flow, after calling the globalSignOut method, I authenticated the user again and checked the validity of the token by making getUser API call. But, the getUser API call returned the following response : “An error occurred (NotAuthorizedException) when calling the GetUser operation: Access Token has been revoked”

Now, I added sleep function after the GlobalSignOut for 1 second and the flow worked correctly. I did a few tests with the sleep time and noticed that if we add a sleep period of 0.6 seconds or greater, the API works correctly. So, it seems that the GlobalSignOut API call returns the response immediately but, the global logging out process (revoking of tokens) still runs in the backend for approximately 0.6 seconds.

For this, I reached out to the Cognito development team to confirm this behavior of GlobalSignOut API call. The team has confirmed that this is an expected behavior of GlobalSignOut API call. When GlobalSignOut is called all the tokens that were issued before that time is considered invalid. If the gap between signout and authentication is very small ( from my tests, this is approximately 0.6 seconds ), the token issue after authentication can be treated to be issued before signout call and, for better security, is considered invalid.

I hope

that the above information helps. If there is anything else I can do to help, please let me know. I will be more than happy to assist you.

Have a great day ahead.

Best regards,

Amazon Web Services

Mark Lloyd
answered 5 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content