Cannot sign out the user from AWS Cognito












1















I have set up an API Gateway authenticated using AWS Cognito. Once the user signs in, I use the following script to verify their credentials:



const cognitoidentityserviceprovider = new AWS.CognitoIdentityServiceProvider();

const params = {

    AuthFlow: 'ADMIN_NO_SRP_AUTH',

    ClientId: APP_CLIENT_ID,

    UserPoolId: USER_POOL_ID,

    AuthParameters: {

        'USERNAME': username,

        'PASSWORD': password,

    },

};

return cognitoidentityserviceprovider.adminInitiateAuth(params)

    .promise();


And this will return a JSON like so:



{

    "ChallengeParameters": {},

    "AuthenticationResult": {

        "AccessToken": "....",

        "ExpiresIn": 3600,

        "TokenType": "Bearer",

        "RefreshToken": "....",

        "IdToken": "...."

    }

}


On the client side, I will take note of the IdToken and include it as a header with a name mentioned in the API Gateway's Authorizer.



Now, I'm trying to create a lambda function to sign the user out. So far, I've got this:



const cognitoidentityserviceprovider = new AWS.CognitoIdentityServiceProvider();



const params = {

    UserPoolId: USER_POOL_ID,

    Username: username,

};

return cognitoidentityserviceprovider.adminUserGlobalSignOut(params)

    .promise();


When I send a request to call this code, even though everything works just fine (no error is thrown), but the IdToken is still valid and I can still call authenticated requests with it. My question is, what is the proper way of signing out a user and why this is not working?






amazon-web-services amazon-cognito







share|improve this question





























    1















    I have set up an API Gateway authenticated using AWS Cognito. Once the user signs in, I use the following script to verify their credentials:



    const cognitoidentityserviceprovider = new AWS.CognitoIdentityServiceProvider();
    
const params = {
    
    AuthFlow: 'ADMIN_NO_SRP_AUTH',
    
    ClientId: APP_CLIENT_ID,
    
    UserPoolId: USER_POOL_ID,
    
    AuthParameters: {
    
        'USERNAME': username,
    
        'PASSWORD': password,
    
    },
    
};
    
return cognitoidentityserviceprovider.adminInitiateAuth(params)
    
    .promise();


    And this will return a JSON like so:



    {
    
    "ChallengeParameters": {},
    
    "AuthenticationResult": {
    
        "AccessToken": "....",
    
        "ExpiresIn": 3600,
    
        "TokenType": "Bearer",
    
        "RefreshToken": "....",
    
        "IdToken": "...."
    
    }
    
}


    On the client side, I will take note of the IdToken and include it as a header with a name mentioned in the API Gateway's Authorizer.



    Now, I'm trying to create a lambda function to sign the user out. So far, I've got this:



    const cognitoidentityserviceprovider = new AWS.CognitoIdentityServiceProvider();
    

    
const params = {
    
    UserPoolId: USER_POOL_ID,
    
    Username: username,
    
};
    
return cognitoidentityserviceprovider.adminUserGlobalSignOut(params)
    
    .promise();


    When I send a request to call this code, even though everything works just fine (no error is thrown), but the IdToken is still valid and I can still call authenticated requests with it. My question is, what is the proper way of signing out a user and why this is not working?






    amazon-web-services amazon-cognito







    share|improve this question



























      1












      1








      1








      I have set up an API Gateway authenticated using AWS Cognito. Once the user signs in, I use the following script to verify their credentials:



      const cognitoidentityserviceprovider = new AWS.CognitoIdentityServiceProvider();
      
const params = {
      
    AuthFlow: 'ADMIN_NO_SRP_AUTH',
      
    ClientId: APP_CLIENT_ID,
      
    UserPoolId: USER_POOL_ID,
      
    AuthParameters: {
      
        'USERNAME': username,
      
        'PASSWORD': password,
      
    },
      
};
      
return cognitoidentityserviceprovider.adminInitiateAuth(params)
      
    .promise();


      And this will return a JSON like so:



      {
      
    "ChallengeParameters": {},
      
    "AuthenticationResult": {
      
        "AccessToken": "....",
      
        "ExpiresIn": 3600,
      
        "TokenType": "Bearer",
      
        "RefreshToken": "....",
      
        "IdToken": "...."
      
    }
      
}


      On the client side, I will take note of the IdToken and include it as a header with a name mentioned in the API Gateway's Authorizer.



      Now, I'm trying to create a lambda function to sign the user out. So far, I've got this:



      const cognitoidentityserviceprovider = new AWS.CognitoIdentityServiceProvider();
      

      
const params = {
      
    UserPoolId: USER_POOL_ID,
      
    Username: username,
      
};
      
return cognitoidentityserviceprovider.adminUserGlobalSignOut(params)
      
    .promise();


      When I send a request to call this code, even though everything works just fine (no error is thrown), but the IdToken is still valid and I can still call authenticated requests with it. My question is, what is the proper way of signing out a user and why this is not working?






      amazon-web-services amazon-cognito







      share|improve this question
















      I have set up an API Gateway authenticated using AWS Cognito. Once the user signs in, I use the following script to verify their credentials:



      const cognitoidentityserviceprovider = new AWS.CognitoIdentityServiceProvider();
      
const params = {
      
    AuthFlow: 'ADMIN_NO_SRP_AUTH',
      
    ClientId: APP_CLIENT_ID,
      
    UserPoolId: USER_POOL_ID,
      
    AuthParameters: {
      
        'USERNAME': username,
      
        'PASSWORD': password,
      
    },
      
};
      
return cognitoidentityserviceprovider.adminInitiateAuth(params)
      
    .promise();


      And this will return a JSON like so:



      {
      
    "ChallengeParameters": {},
      
    "AuthenticationResult": {
      
        "AccessToken": "....",
      
        "ExpiresIn": 3600,
      
        "TokenType": "Bearer",
      
        "RefreshToken": "....",
      
        "IdToken": "...."
      
    }
      
}


      On the client side, I will take note of the IdToken and include it as a header with a name mentioned in the API Gateway's Authorizer.



      Now, I'm trying to create a lambda function to sign the user out. So far, I've got this:



      const cognitoidentityserviceprovider = new AWS.CognitoIdentityServiceProvider();
      

      
const params = {
      
    UserPoolId: USER_POOL_ID,
      
    Username: username,
      
};
      
return cognitoidentityserviceprovider.adminUserGlobalSignOut(params)
      
    .promise();


      When I send a request to call this code, even though everything works just fine (no error is thrown), but the IdToken is still valid and I can still call authenticated requests with it. My question is, what is the proper way of signing out a user and why this is not working?






      amazon-web-services amazon-cognito




      amazon-web-services amazon-cognito






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Nov 21 '18 at 15:28







      Mehran

















      asked Nov 21 '18 at 15:13









      MehranMehran

      3,960747112




      3,960747112
























          1 Answer
          1






          active

          oldest

          votes


















          1














          You are right. This is the current behavior of Amazon Cognito Tokens. If you do global signout than your accessToken and RefreshToken will be expired.




          But your IdToken will be still valid till 1 hour.




          If you call the Global SignOut again, Than you will see the message that access token is expired



          I hope this helps!






          share|improve this answer
























          • Thanks for the answer. I just called the Global SignOut twice (even more) but it did not help. BTW, the API call does not return anything, just an empty object (both times).

            – Mehran
            Nov 22 '18 at 14:14











          • Strange! I tried running global signout command from cli and it is clearly saying that access token is revoked or expired Have you checked using SDK or AWS CLI?

            – Jayesh Dhandha
            Nov 23 '18 at 5:52











          • As mentioned in the question, I used lambda functions implemented in NodeJs. To be honest, I don't care about AWS CLI at this point.

            – Mehran
            Nov 23 '18 at 12:11











          • Than you are supposed to be not invoking global sign out properly. Because at the end your SDK should behave and respond same as actual AWS Cli is behaving.

            – Jayesh Dhandha
            Nov 23 '18 at 12:13













          • I'm not rejecting the possibility that I might be doing something wrong. But at the same time, I have provided my exact code here. Please let me know what I'm doing wrong. Thanks.

            – Mehran
            Nov 23 '18 at 12:21











          Your Answer






          StackExchange.ifUsing("editor", function () {
          StackExchange.using("externalEditor", function () {
          StackExchange.using("snippets", function () {
          StackExchange.snippets.init();
          });
          });
          }, "code-snippets");

          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "1"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53415086%2fcannot-sign-out-the-user-from-aws-cognito%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          1














          You are right. This is the current behavior of Amazon Cognito Tokens. If you do global signout than your accessToken and RefreshToken will be expired.




          But your IdToken will be still valid till 1 hour.




          If you call the Global SignOut again, Than you will see the message that access token is expired



          I hope this helps!






          share|improve this answer
























          • Thanks for the answer. I just called the Global SignOut twice (even more) but it did not help. BTW, the API call does not return anything, just an empty object (both times).

            – Mehran
            Nov 22 '18 at 14:14











          • Strange! I tried running global signout command from cli and it is clearly saying that access token is revoked or expired Have you checked using SDK or AWS CLI?

            – Jayesh Dhandha
            Nov 23 '18 at 5:52











          • As mentioned in the question, I used lambda functions implemented in NodeJs. To be honest, I don't care about AWS CLI at this point.

            – Mehran
            Nov 23 '18 at 12:11











          • Than you are supposed to be not invoking global sign out properly. Because at the end your SDK should behave and respond same as actual AWS Cli is behaving.

            – Jayesh Dhandha
            Nov 23 '18 at 12:13













          • I'm not rejecting the possibility that I might be doing something wrong. But at the same time, I have provided my exact code here. Please let me know what I'm doing wrong. Thanks.

            – Mehran
            Nov 23 '18 at 12:21
















          1














          You are right. This is the current behavior of Amazon Cognito Tokens. If you do global signout than your accessToken and RefreshToken will be expired.




          But your IdToken will be still valid till 1 hour.




          If you call the Global SignOut again, Than you will see the message that access token is expired



          I hope this helps!






          share|improve this answer
























          • Thanks for the answer. I just called the Global SignOut twice (even more) but it did not help. BTW, the API call does not return anything, just an empty object (both times).

            – Mehran
            Nov 22 '18 at 14:14











          • Strange! I tried running global signout command from cli and it is clearly saying that access token is revoked or expired Have you checked using SDK or AWS CLI?

            – Jayesh Dhandha
            Nov 23 '18 at 5:52











          • As mentioned in the question, I used lambda functions implemented in NodeJs. To be honest, I don't care about AWS CLI at this point.

            – Mehran
            Nov 23 '18 at 12:11











          • Than you are supposed to be not invoking global sign out properly. Because at the end your SDK should behave and respond same as actual AWS Cli is behaving.

            – Jayesh Dhandha
            Nov 23 '18 at 12:13













          • I'm not rejecting the possibility that I might be doing something wrong. But at the same time, I have provided my exact code here. Please let me know what I'm doing wrong. Thanks.

            – Mehran
            Nov 23 '18 at 12:21














          1












          1








          1







          You are right. This is the current behavior of Amazon Cognito Tokens. If you do global signout than your accessToken and RefreshToken will be expired.




          But your IdToken will be still valid till 1 hour.




          If you call the Global SignOut again, Than you will see the message that access token is expired



          I hope this helps!






          share|improve this answer













          You are right. This is the current behavior of Amazon Cognito Tokens. If you do global signout than your accessToken and RefreshToken will be expired.




          But your IdToken will be still valid till 1 hour.




          If you call the Global SignOut again, Than you will see the message that access token is expired



          I hope this helps!







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Nov 22 '18 at 9:31









          Jayesh DhandhaJayesh Dhandha

          610617




          610617













          • Thanks for the answer. I just called the Global SignOut twice (even more) but it did not help. BTW, the API call does not return anything, just an empty object (both times).

            – Mehran
            Nov 22 '18 at 14:14











          • Strange! I tried running global signout command from cli and it is clearly saying that access token is revoked or expired Have you checked using SDK or AWS CLI?

            – Jayesh Dhandha
            Nov 23 '18 at 5:52











          • As mentioned in the question, I used lambda functions implemented in NodeJs. To be honest, I don't care about AWS CLI at this point.

            – Mehran
            Nov 23 '18 at 12:11











          • Than you are supposed to be not invoking global sign out properly. Because at the end your SDK should behave and respond same as actual AWS Cli is behaving.

            – Jayesh Dhandha
            Nov 23 '18 at 12:13













          • I'm not rejecting the possibility that I might be doing something wrong. But at the same time, I have provided my exact code here. Please let me know what I'm doing wrong. Thanks.

            – Mehran
            Nov 23 '18 at 12:21



















          • Thanks for the answer. I just called the Global SignOut twice (even more) but it did not help. BTW, the API call does not return anything, just an empty object (both times).

            – Mehran
            Nov 22 '18 at 14:14











          • Strange! I tried running global signout command from cli and it is clearly saying that access token is revoked or expired Have you checked using SDK or AWS CLI?

            – Jayesh Dhandha
            Nov 23 '18 at 5:52











          • As mentioned in the question, I used lambda functions implemented in NodeJs. To be honest, I don't care about AWS CLI at this point.

            – Mehran
            Nov 23 '18 at 12:11











          • Than you are supposed to be not invoking global sign out properly. Because at the end your SDK should behave and respond same as actual AWS Cli is behaving.

            – Jayesh Dhandha
            Nov 23 '18 at 12:13













          • I'm not rejecting the possibility that I might be doing something wrong. But at the same time, I have provided my exact code here. Please let me know what I'm doing wrong. Thanks.

            – Mehran
            Nov 23 '18 at 12:21

















          Thanks for the answer. I just called the Global SignOut twice (even more) but it did not help. BTW, the API call does not return anything, just an empty object (both times).

          – Mehran
          Nov 22 '18 at 14:14





          Thanks for the answer. I just called the Global SignOut twice (even more) but it did not help. BTW, the API call does not return anything, just an empty object (both times).

          – Mehran
          Nov 22 '18 at 14:14













          Strange! I tried running global signout command from cli and it is clearly saying that access token is revoked or expired Have you checked using SDK or AWS CLI?

          – Jayesh Dhandha
          Nov 23 '18 at 5:52





          Strange! I tried running global signout command from cli and it is clearly saying that access token is revoked or expired Have you checked using SDK or AWS CLI?

          – Jayesh Dhandha
          Nov 23 '18 at 5:52













          As mentioned in the question, I used lambda functions implemented in NodeJs. To be honest, I don't care about AWS CLI at this point.

          – Mehran
          Nov 23 '18 at 12:11





          As mentioned in the question, I used lambda functions implemented in NodeJs. To be honest, I don't care about AWS CLI at this point.

          – Mehran
          Nov 23 '18 at 12:11













          Than you are supposed to be not invoking global sign out properly. Because at the end your SDK should behave and respond same as actual AWS Cli is behaving.

          – Jayesh Dhandha
          Nov 23 '18 at 12:13







          Than you are supposed to be not invoking global sign out properly. Because at the end your SDK should behave and respond same as actual AWS Cli is behaving.

          – Jayesh Dhandha
          Nov 23 '18 at 12:13















          I'm not rejecting the possibility that I might be doing something wrong. But at the same time, I have provided my exact code here. Please let me know what I'm doing wrong. Thanks.

          – Mehran
          Nov 23 '18 at 12:21





          I'm not rejecting the possibility that I might be doing something wrong. But at the same time, I have provided my exact code here. Please let me know what I'm doing wrong. Thanks.

          – Mehran
          Nov 23 '18 at 12:21




















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Stack Overflow!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53415086%2fcannot-sign-out-the-user-from-aws-cognito%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          Can a sorcerer learn a 5th-level spell early by creating spell slots using the Font of Magic feature?

          Image
          28 6 $begingroup$ Per the Font of Magic feature, sorcerer can use Flexible Casting to create 5th-level spell slots at level 7, even though they are not typically available until level 9. You can transform unexpended sorcery points into one spell slot as a bonus action on your turn. The Creating Spell Slots table shows the cost of creating a spell slot of [5th level is 7] If such a sorcerer levels up while still having this 5th-level spell slot, can they choose a 5th-level spell as the spell they gain upon levelling up? The Spellcasting feature states: Additionally, when you gain a level in this class, you can choose one of the sorcerer spells you know and replace it with another spell from the sorcerer spell list, which also must be of a level for which you have spell slots.
          Read more

          ts Property 'filter' does not exist on type '{}'

          Image
          1 I'm trying to follow Angular Material guide to create a custom filter for autocomplete input text https://material.angular.io/components/autocomplete/overview This is what I have TS import { Component, OnInit } from '@angular/core'; import { TemplateRef } from '@angular/core'; import { FormControl } from "@angular/forms"; import { Observable } from "rxjs"; import { map, startWith, filter } from 'rxjs/operators'; (...) export class AppComponent implements OnInit { title = 'Your Profile'; displayedColumns: string = ['selected', 'name', 'description', 'pnr']; dataSource = ELEMENT_DATA; myControl = new FormControl(); options: any = ['One', 'Two', 'Three']; filteredOptions:
          Read more

          mat-slide-toggle shouldn't change it's state when I click cancel in confirmation window

          Image
          1 When I checked the slide toggle it should work as expected. But when I try to uncheck it there is a confirmation window asking if you are sure. When I click cancel in that confirmation window, still the toggle changes to unchecked, which shouldn't happen. It should stay in the same state. Here is my Html and TS Code // html <mat-slide-toggle (change)="change($event)" [checked]="isChecked()" > To-pay </mat-slide-toggle> TS code: // ts change(e) { if(this.checked) { if(confirm("Are you sure")) { console.log("toggle") } else { e.stopPropagation(); console.log("toggle should not change if I click the cancel button") }
          Read more