RevokeToken behavior for multiple logins #218
-
The QuestionThis is a general question regarding You can revoke a refresh token for a user using the AWS API. When you revoke a refresh token, all access tokens that were previously issued by that refresh token become invalid. The other refresh tokens issued to the user are not affected. The question is, given the same User Pool and ClientId, would a login from 2 different browsers by the same user (same login credentials) receive the same access and refresh tokens and would RevokeTokenAsync() call invalidate both refresh tokens, another words, would both sessions' refresh tokens become invalid? In case of JWT tokens, since they are self contained (as the article states further), would RevokeTokenAsync() have to be coupled with the issuance of a new JWT token that is expired? Environment
This is a ❓ general question |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 3 replies
-
|
Hi @IgorPietraszko, Good morning. Thanks for posting question. To validate the behavior, following simple console application using using System;
using System.Collections.Generic;
using System.Threading.Tasks;
using Amazon.CognitoIdentityProvider;
using Amazon.Extensions.CognitoAuthentication;
using Amazon.Runtime;
namespace CognitoTest
{
class Program
{
private static string clientId = "7m3namtfok95oau1l1tqdgt2h8";
private static string poolId = "us-east-2_HTm99yR1t";
private static string userName = "testuser2";// [email protected]";
private static string userPassword = "29@Sep@1979";
static void Main(string[] args)
{
TestUserAuth().GetAwaiter().GetResult();
}
static async Task TestUserAuth()
{
var provider = new AmazonCognitoIdentityProviderClient(new AnonymousAWSCredentials(), FallbackRegionFactory.GetRegionEndpoint());
var userPool = new CognitoUserPool(poolId, clientId, provider);
var user = new CognitoUser(userName, clientId, userPool, provider);
var response = (new AmazonCognitoIdentityProviderClient()).ListUsersAsync(new Amazon.CognitoIdentityProvider.Model.ListUsersRequest() { UserPoolId = poolId }).Result;
AuthFlowResponse authResponse = await user.StartWithSrpAuthAsync(new InitiateSrpAuthRequest()
{
Password = userPassword
}).ConfigureAwait(false);
while (authResponse.AuthenticationResult == null)
{
if (authResponse.ChallengeName == ChallengeNameType.NEW_PASSWORD_REQUIRED)
{
Console.WriteLine("Enter your desired new password:");
string newPassword = Console.ReadLine();
authResponse = await user.RespondToNewPasswordRequiredAsync(new RespondToNewPasswordRequiredRequest()
{
SessionID = authResponse.SessionID,
NewPassword = newPassword
});
}
else if (authResponse.ChallengeName == ChallengeNameType.SMS_MFA)
{
Console.WriteLine("Enter the MFA Code sent to your device:");
string mfaCode = Console.ReadLine();
AuthFlowResponse mfaResponse = await user.RespondToSmsMfaAuthAsync(new RespondToSmsMfaRequest()
{
SessionID = authResponse.SessionID,
MfaCode = mfaCode
}).ConfigureAwait(false);
}
else
{
Console.WriteLine("Unrecognized authentication challenge.");
break;
}
}
if (authResponse.AuthenticationResult != null)
{
Console.WriteLine("User successfully authenticated.");
Console.WriteLine($"\nAccess Token: {authResponse.AuthenticationResult.AccessToken}\n\nID Token: {authResponse.AuthenticationResult.IdToken}\n\nRefresh Token: {authResponse.AuthenticationResult.RefreshToken}");
}
else
{
Console.WriteLine("Error in authentication process.");
}
Console.ReadLine();
}Publish the program to a folder and from 2 terminal/console windows, execute the same. It returns different sets of Access, ID and Refresh tokens. Instance 2 So to answer your question, login from 2 different browsers by the same user (same login credentials) would receive different sets of these tokens and If this answers your question, please mark my comment as the accepted answer. Thanks, |
Beta Was this translation helpful? Give feedback.
-
|
Thank you Ashish for the example and for thoroughly answering the questions. So is there an API that would satisfy my need to sign the user out from "all sessions", i.e. revoke all tokens for this user/client id combination? |
Beta Was this translation helpful? Give feedback.
-
|
Per GlobalSignOut, it signs out users from all devices and also invalidates all refresh tokens issued to a user. However, the user's current access and ID tokens remain valid until their expiry. Access and Id tokens expire one hour after they're issued. I guess this would fit your scenario. In AWS SDK for .NET, it is exposed via AmazonCognitoIdentityProviderClient.GlobalSignOutAsync. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks. |
Beta Was this translation helpful? Give feedback.
-
|
Hello! Reopening this discussion to make it searchable. |
Beta Was this translation helpful? Give feedback.
Hi @IgorPietraszko,
Good morning.
Thanks for posting question. To validate the behavior, following simple console application using
[Amazon.Extensions.CognitoAuthentication]package version2.2.2, could be leveraged (the code is only for demonstration purposes):