Removing a user from a group does not remove their access until they logout

[cjsedwards]

Describe the bug When using dynamic group authorization, if a user is removed from a cognito group, they still have full access until they log out and log back in.

To Reproduce Steps to reproduce the behavior:

1. Create an "Admin" user group in cognito
2. Add a type with this attribute: @auth(rules: [{allow: groups, groups: ["Admin"], provider: userPools}])
3. Add a user to the "Admin" group
4. Login as that user
5. Remove the user from the Admin group
6. Try to access a resource in that only Admin should have access to

Expected behavior The operations should not be successful, because the user is not a member of the Admin group

[jordanranz]

Related to: https://github.com/aws-amplify/amplify-js/issues/3730#issuecomment-552528063

[cjsedwards]

Digging into this more, I think this may actually be a bug in AppSync rather than Amplify. The way Amplify is performing these dynamic group authorizations is it generates AppSync resolvers that build a custom condition using the contents of:

$ctx.identity.claims.get("cognito:groups")

If the contents of this are not reliable, then Amplify's resolver won't stand a chance.

[cjsedwards]

@jordanranz If this is the case, would this need to be submitted directly to the AppSync team?

[ericclemmons]

The comment in https://github.com/aws-amplify/amplify-js/issues/3730#issuecomment-552584373 seems most applicable, namely that tokens are considered valid until they expire, since the allowed groups are stored in the tokens themselves.

This is more related to how JWTs are compared at runtime vs. stateful, session-based services.

Mitigation depends on the security profile of the app & situation:

So if the JWT has information that hasn't been refreshed yet the client could still have access until the token expires. This is why you would need some sort of push mechanism based on a trigger event in the backend to force the client to refresh its token. This is totally up to what you think your security posture needs to be as most of the time for systems it's fine to let the token expire and refresh in an acceptable time period.

What level of mitigation best fits your situation?

[cjsedwards]

In order for this to be effective server-side authentication, forcing a refresh in the client isn't a workable solution, as this would be a fairly big security hole.

[ericclemmons]

Just checked with the Cognito team and we're tracking this in a related issue:

https://github.com/aws-amplify/amplify-js/issues/3435#issuecomment-597851340

Closing so we can track the progress there. Be sure to subscribe for updates!

[github-actions[bot]]

This issue has been automatically locked since there hasn't been any recent activity after it was closed. Please open a new issue for related bugs.

Looking for a help forum? We recommend joining the Amplify Community Discord server *-help channels or Discussions for those types of questions.