使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

Cognito: Make auth tokens validity dependent on user's activity

1

In our web app we use Cognito for user authentication, specifically a User Pool Client with the Amplify JavaScript client.

We would like to make sure that as soon as the user is inactive for let's say more than two hours, they get logged out automatically (token should expire).

With "user activity" I mean "the front-end making requests to the backend". I'm aware that in a case where the user is actively using the application but the front-end doesn't make requests to the backend, there is no chance for the backend to detect that the user is "active" - hence I'll take care that some communication will happen in such a case to fulfill this definition of activity.

While we could implement this in the front-end, this doesn't feel right from a security perspective. The mechanism should be implemented in the backend.

But I don't see an option in the Cognito User Pool Client token validity settings which can be used to implement this mechanism. If I would set the refresh token validity to 2 hours, this would also mean that when the user is active for 2 hours, they will also be logged out (token gets invalid).

This sounds like a very common feature.

What is the recommended way to implement this with AWS Cognito? Is even some built-in approach which I am overlooking?

主題
安全性、身分識別與合規
標籤
Amazon Cognito User Pools
語言
English
hqs-lehmann
已提問 2 年前檢視次數 227 次
1 個回答
0

Hi there,

I understand that you would like to implement an automatic logout trigger due to user inactivity.

While there is no direct way to do this in Cognito, you can trigger that response through an API call passed into Cognito once the user hits the inactivity time limit. Doing this will revoke the user's refresh token which will cause the user to sign in again.

More information on revoking refresh tokens can be found below: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-refresh-token.html https://docs.aws.amazon.com/cognito/latest/developerguide/token-revocation.html

You can use the following Cognito User Pools API operation: AdminUserGlobalSignOut.

AdminUserGlobalSignOut can sign out any user in the user pool. It must be called by the administrator application with AWS developer credentials. More information about this API call can be found here: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUserGlobalSignOut.html

You can use a Lambda function to keep track of user inactivity. When the API operation is called, you can redirect them to the Logout endpoint where Cognito will clear the session cookie. This prevents the user from reauthenticating with the same cookie. Once the cookie has been cleared, the user must reauthenticate for a new token.

To do this:

  1. Create the Lambda function. You can check out this gitHub for assistance: https://github.com/aws-amplify/amplify-js/issues/2384
  2. In the Amazon Cognito console, choose your user pool.
  3. Choose "Add a Lambda trigger". Keep in mind that you will need to Modify IAM credentials to authorize the requests (don't forget to grant yourself the IAM permission in a policy as well).
  4. In the Category section, find Post Authentication and select "Assign Lambda function". More information about Post Authentication can be found here: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-post-authentication.html
  5. Find the function name and click "Save Changes".

Additional information on this process can be found here: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html

Hope this helps!

AWS
rePost-User-6307276
已回答 8 個月前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容