API gateway accepting revoked access tokens from header

Question

I have a lambda being invoked by API gateway. The endpoint is protected with Cognito access token. The issue is, I have noticed that even a revoked access token is being accepted by the endpoint which shouldn't be the caser. How can I overcome this situation?

Answer

API Gateway allows access based on the information contained in the token. If you revoke the token in Cognito but the expiry of the token is still in the future then access will still be allowed by API Gateway - for performance it doesn't check with Cognito to see if every token is revoked; it's relying on the information that has been passed with the token.

One way to solve this is to use very short-lived tokens that are refreshed by the client application on a regular basis. That way revoked tokens are not valid for very long.

Another way would be to use [Lambda Authorizer](https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html) which could check to see if each token passed to API Gateway has been revoked or not. It could do this by checking with Cognito; or some other data source such as a DynamoDB table. However, this adds delay and cost to each API call.

Answer

Do you have cacheing enabled for the token?  This page talks about how to enable.  You should check if you have it enabled and look at the TTL.

https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-caching-tokens.html

API gateway accepting revoked access tokens from header

相關內容