Cannot sign out the user from AWS Cognito












1















I have set up an API Gateway authenticated using AWS Cognito. Once the user signs in, I use the following script to verify their credentials:



const cognitoidentityserviceprovider = new AWS.CognitoIdentityServiceProvider();
const params = {
AuthFlow: 'ADMIN_NO_SRP_AUTH',
ClientId: APP_CLIENT_ID,
UserPoolId: USER_POOL_ID,
AuthParameters: {
'USERNAME': username,
'PASSWORD': password,
},
};
return cognitoidentityserviceprovider.adminInitiateAuth(params)
.promise();


And this will return a JSON like so:



{
"ChallengeParameters": {},
"AuthenticationResult": {
"AccessToken": "....",
"ExpiresIn": 3600,
"TokenType": "Bearer",
"RefreshToken": "....",
"IdToken": "...."
}
}


On the client side, I will take note of the IdToken and include it as a header with a name mentioned in the API Gateway's Authorizer.



Now, I'm trying to create a lambda function to sign the user out. So far, I've got this:



const cognitoidentityserviceprovider = new AWS.CognitoIdentityServiceProvider();

const params = {
UserPoolId: USER_POOL_ID,
Username: username,
};
return cognitoidentityserviceprovider.adminUserGlobalSignOut(params)
.promise();


When I send a request to call this code, even though everything works just fine (no error is thrown), but the IdToken is still valid and I can still call authenticated requests with it. My question is, what is the proper way of signing out a user and why this is not working?










share|improve this question





























    1















    I have set up an API Gateway authenticated using AWS Cognito. Once the user signs in, I use the following script to verify their credentials:



    const cognitoidentityserviceprovider = new AWS.CognitoIdentityServiceProvider();
    const params = {
    AuthFlow: 'ADMIN_NO_SRP_AUTH',
    ClientId: APP_CLIENT_ID,
    UserPoolId: USER_POOL_ID,
    AuthParameters: {
    'USERNAME': username,
    'PASSWORD': password,
    },
    };
    return cognitoidentityserviceprovider.adminInitiateAuth(params)
    .promise();


    And this will return a JSON like so:



    {
    "ChallengeParameters": {},
    "AuthenticationResult": {
    "AccessToken": "....",
    "ExpiresIn": 3600,
    "TokenType": "Bearer",
    "RefreshToken": "....",
    "IdToken": "...."
    }
    }


    On the client side, I will take note of the IdToken and include it as a header with a name mentioned in the API Gateway's Authorizer.



    Now, I'm trying to create a lambda function to sign the user out. So far, I've got this:



    const cognitoidentityserviceprovider = new AWS.CognitoIdentityServiceProvider();

    const params = {
    UserPoolId: USER_POOL_ID,
    Username: username,
    };
    return cognitoidentityserviceprovider.adminUserGlobalSignOut(params)
    .promise();


    When I send a request to call this code, even though everything works just fine (no error is thrown), but the IdToken is still valid and I can still call authenticated requests with it. My question is, what is the proper way of signing out a user and why this is not working?










    share|improve this question



























      1












      1








      1








      I have set up an API Gateway authenticated using AWS Cognito. Once the user signs in, I use the following script to verify their credentials:



      const cognitoidentityserviceprovider = new AWS.CognitoIdentityServiceProvider();
      const params = {
      AuthFlow: 'ADMIN_NO_SRP_AUTH',
      ClientId: APP_CLIENT_ID,
      UserPoolId: USER_POOL_ID,
      AuthParameters: {
      'USERNAME': username,
      'PASSWORD': password,
      },
      };
      return cognitoidentityserviceprovider.adminInitiateAuth(params)
      .promise();


      And this will return a JSON like so:



      {
      "ChallengeParameters": {},
      "AuthenticationResult": {
      "AccessToken": "....",
      "ExpiresIn": 3600,
      "TokenType": "Bearer",
      "RefreshToken": "....",
      "IdToken": "...."
      }
      }


      On the client side, I will take note of the IdToken and include it as a header with a name mentioned in the API Gateway's Authorizer.



      Now, I'm trying to create a lambda function to sign the user out. So far, I've got this:



      const cognitoidentityserviceprovider = new AWS.CognitoIdentityServiceProvider();

      const params = {
      UserPoolId: USER_POOL_ID,
      Username: username,
      };
      return cognitoidentityserviceprovider.adminUserGlobalSignOut(params)
      .promise();


      When I send a request to call this code, even though everything works just fine (no error is thrown), but the IdToken is still valid and I can still call authenticated requests with it. My question is, what is the proper way of signing out a user and why this is not working?










      share|improve this question
















      I have set up an API Gateway authenticated using AWS Cognito. Once the user signs in, I use the following script to verify their credentials:



      const cognitoidentityserviceprovider = new AWS.CognitoIdentityServiceProvider();
      const params = {
      AuthFlow: 'ADMIN_NO_SRP_AUTH',
      ClientId: APP_CLIENT_ID,
      UserPoolId: USER_POOL_ID,
      AuthParameters: {
      'USERNAME': username,
      'PASSWORD': password,
      },
      };
      return cognitoidentityserviceprovider.adminInitiateAuth(params)
      .promise();


      And this will return a JSON like so:



      {
      "ChallengeParameters": {},
      "AuthenticationResult": {
      "AccessToken": "....",
      "ExpiresIn": 3600,
      "TokenType": "Bearer",
      "RefreshToken": "....",
      "IdToken": "...."
      }
      }


      On the client side, I will take note of the IdToken and include it as a header with a name mentioned in the API Gateway's Authorizer.



      Now, I'm trying to create a lambda function to sign the user out. So far, I've got this:



      const cognitoidentityserviceprovider = new AWS.CognitoIdentityServiceProvider();

      const params = {
      UserPoolId: USER_POOL_ID,
      Username: username,
      };
      return cognitoidentityserviceprovider.adminUserGlobalSignOut(params)
      .promise();


      When I send a request to call this code, even though everything works just fine (no error is thrown), but the IdToken is still valid and I can still call authenticated requests with it. My question is, what is the proper way of signing out a user and why this is not working?







      amazon-web-services amazon-cognito






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Nov 21 '18 at 15:28







      Mehran

















      asked Nov 21 '18 at 15:13









      MehranMehran

      3,960747112




      3,960747112
























          1 Answer
          1






          active

          oldest

          votes


















          1














          You are right. This is the current behavior of Amazon Cognito Tokens. If you do global signout than your accessToken and RefreshToken will be expired.




          But your IdToken will be still valid till 1 hour.




          If you call the Global SignOut again, Than you will see the message that access token is expired



          I hope this helps!






          share|improve this answer
























          • Thanks for the answer. I just called the Global SignOut twice (even more) but it did not help. BTW, the API call does not return anything, just an empty object (both times).

            – Mehran
            Nov 22 '18 at 14:14











          • Strange! I tried running global signout command from cli and it is clearly saying that access token is revoked or expired Have you checked using SDK or AWS CLI?

            – Jayesh Dhandha
            Nov 23 '18 at 5:52











          • As mentioned in the question, I used lambda functions implemented in NodeJs. To be honest, I don't care about AWS CLI at this point.

            – Mehran
            Nov 23 '18 at 12:11











          • Than you are supposed to be not invoking global sign out properly. Because at the end your SDK should behave and respond same as actual AWS Cli is behaving.

            – Jayesh Dhandha
            Nov 23 '18 at 12:13













          • I'm not rejecting the possibility that I might be doing something wrong. But at the same time, I have provided my exact code here. Please let me know what I'm doing wrong. Thanks.

            – Mehran
            Nov 23 '18 at 12:21











          Your Answer






          StackExchange.ifUsing("editor", function () {
          StackExchange.using("externalEditor", function () {
          StackExchange.using("snippets", function () {
          StackExchange.snippets.init();
          });
          });
          }, "code-snippets");

          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "1"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53415086%2fcannot-sign-out-the-user-from-aws-cognito%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          1














          You are right. This is the current behavior of Amazon Cognito Tokens. If you do global signout than your accessToken and RefreshToken will be expired.




          But your IdToken will be still valid till 1 hour.




          If you call the Global SignOut again, Than you will see the message that access token is expired



          I hope this helps!






          share|improve this answer
























          • Thanks for the answer. I just called the Global SignOut twice (even more) but it did not help. BTW, the API call does not return anything, just an empty object (both times).

            – Mehran
            Nov 22 '18 at 14:14











          • Strange! I tried running global signout command from cli and it is clearly saying that access token is revoked or expired Have you checked using SDK or AWS CLI?

            – Jayesh Dhandha
            Nov 23 '18 at 5:52











          • As mentioned in the question, I used lambda functions implemented in NodeJs. To be honest, I don't care about AWS CLI at this point.

            – Mehran
            Nov 23 '18 at 12:11











          • Than you are supposed to be not invoking global sign out properly. Because at the end your SDK should behave and respond same as actual AWS Cli is behaving.

            – Jayesh Dhandha
            Nov 23 '18 at 12:13













          • I'm not rejecting the possibility that I might be doing something wrong. But at the same time, I have provided my exact code here. Please let me know what I'm doing wrong. Thanks.

            – Mehran
            Nov 23 '18 at 12:21
















          1














          You are right. This is the current behavior of Amazon Cognito Tokens. If you do global signout than your accessToken and RefreshToken will be expired.




          But your IdToken will be still valid till 1 hour.




          If you call the Global SignOut again, Than you will see the message that access token is expired



          I hope this helps!






          share|improve this answer
























          • Thanks for the answer. I just called the Global SignOut twice (even more) but it did not help. BTW, the API call does not return anything, just an empty object (both times).

            – Mehran
            Nov 22 '18 at 14:14











          • Strange! I tried running global signout command from cli and it is clearly saying that access token is revoked or expired Have you checked using SDK or AWS CLI?

            – Jayesh Dhandha
            Nov 23 '18 at 5:52











          • As mentioned in the question, I used lambda functions implemented in NodeJs. To be honest, I don't care about AWS CLI at this point.

            – Mehran
            Nov 23 '18 at 12:11











          • Than you are supposed to be not invoking global sign out properly. Because at the end your SDK should behave and respond same as actual AWS Cli is behaving.

            – Jayesh Dhandha
            Nov 23 '18 at 12:13













          • I'm not rejecting the possibility that I might be doing something wrong. But at the same time, I have provided my exact code here. Please let me know what I'm doing wrong. Thanks.

            – Mehran
            Nov 23 '18 at 12:21














          1












          1








          1







          You are right. This is the current behavior of Amazon Cognito Tokens. If you do global signout than your accessToken and RefreshToken will be expired.




          But your IdToken will be still valid till 1 hour.




          If you call the Global SignOut again, Than you will see the message that access token is expired



          I hope this helps!






          share|improve this answer













          You are right. This is the current behavior of Amazon Cognito Tokens. If you do global signout than your accessToken and RefreshToken will be expired.




          But your IdToken will be still valid till 1 hour.




          If you call the Global SignOut again, Than you will see the message that access token is expired



          I hope this helps!







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Nov 22 '18 at 9:31









          Jayesh DhandhaJayesh Dhandha

          610617




          610617













          • Thanks for the answer. I just called the Global SignOut twice (even more) but it did not help. BTW, the API call does not return anything, just an empty object (both times).

            – Mehran
            Nov 22 '18 at 14:14











          • Strange! I tried running global signout command from cli and it is clearly saying that access token is revoked or expired Have you checked using SDK or AWS CLI?

            – Jayesh Dhandha
            Nov 23 '18 at 5:52











          • As mentioned in the question, I used lambda functions implemented in NodeJs. To be honest, I don't care about AWS CLI at this point.

            – Mehran
            Nov 23 '18 at 12:11











          • Than you are supposed to be not invoking global sign out properly. Because at the end your SDK should behave and respond same as actual AWS Cli is behaving.

            – Jayesh Dhandha
            Nov 23 '18 at 12:13













          • I'm not rejecting the possibility that I might be doing something wrong. But at the same time, I have provided my exact code here. Please let me know what I'm doing wrong. Thanks.

            – Mehran
            Nov 23 '18 at 12:21



















          • Thanks for the answer. I just called the Global SignOut twice (even more) but it did not help. BTW, the API call does not return anything, just an empty object (both times).

            – Mehran
            Nov 22 '18 at 14:14











          • Strange! I tried running global signout command from cli and it is clearly saying that access token is revoked or expired Have you checked using SDK or AWS CLI?

            – Jayesh Dhandha
            Nov 23 '18 at 5:52











          • As mentioned in the question, I used lambda functions implemented in NodeJs. To be honest, I don't care about AWS CLI at this point.

            – Mehran
            Nov 23 '18 at 12:11











          • Than you are supposed to be not invoking global sign out properly. Because at the end your SDK should behave and respond same as actual AWS Cli is behaving.

            – Jayesh Dhandha
            Nov 23 '18 at 12:13













          • I'm not rejecting the possibility that I might be doing something wrong. But at the same time, I have provided my exact code here. Please let me know what I'm doing wrong. Thanks.

            – Mehran
            Nov 23 '18 at 12:21

















          Thanks for the answer. I just called the Global SignOut twice (even more) but it did not help. BTW, the API call does not return anything, just an empty object (both times).

          – Mehran
          Nov 22 '18 at 14:14





          Thanks for the answer. I just called the Global SignOut twice (even more) but it did not help. BTW, the API call does not return anything, just an empty object (both times).

          – Mehran
          Nov 22 '18 at 14:14













          Strange! I tried running global signout command from cli and it is clearly saying that access token is revoked or expired Have you checked using SDK or AWS CLI?

          – Jayesh Dhandha
          Nov 23 '18 at 5:52





          Strange! I tried running global signout command from cli and it is clearly saying that access token is revoked or expired Have you checked using SDK or AWS CLI?

          – Jayesh Dhandha
          Nov 23 '18 at 5:52













          As mentioned in the question, I used lambda functions implemented in NodeJs. To be honest, I don't care about AWS CLI at this point.

          – Mehran
          Nov 23 '18 at 12:11





          As mentioned in the question, I used lambda functions implemented in NodeJs. To be honest, I don't care about AWS CLI at this point.

          – Mehran
          Nov 23 '18 at 12:11













          Than you are supposed to be not invoking global sign out properly. Because at the end your SDK should behave and respond same as actual AWS Cli is behaving.

          – Jayesh Dhandha
          Nov 23 '18 at 12:13







          Than you are supposed to be not invoking global sign out properly. Because at the end your SDK should behave and respond same as actual AWS Cli is behaving.

          – Jayesh Dhandha
          Nov 23 '18 at 12:13















          I'm not rejecting the possibility that I might be doing something wrong. But at the same time, I have provided my exact code here. Please let me know what I'm doing wrong. Thanks.

          – Mehran
          Nov 23 '18 at 12:21





          I'm not rejecting the possibility that I might be doing something wrong. But at the same time, I have provided my exact code here. Please let me know what I'm doing wrong. Thanks.

          – Mehran
          Nov 23 '18 at 12:21




















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Stack Overflow!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53415086%2fcannot-sign-out-the-user-from-aws-cognito%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          'app-layout' is not a known element: how to share Component with different Modules

          android studio warns about leanback feature tag usage required on manifest while using Unity exported app?

          WPF add header to Image with URL pettitions [duplicate]