Revoked Cognito access token still works

[sashee]

AppSync apparently does not check whether an access token is revoked or not.

Reproduction:

• Configure AppSync with a Cognito User Pool
• Log in to the user pool, that gives a refresh_token and an access_token
• Revoke the refresh token with https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/revoke-token.html
• Send a request to AppSync with the access_token and see that it still works

[onlybakam]

I believe this is a known behavior because JWTs are self-contained: https://docs.aws.amazon.com/cognito/latest/developerguide/token-revocation.html

JWT tokens are self-contained with a signature and expiration time that was assigned when the token was created. Revoked tokens can't be used with any Amazon Cognito API calls that require a token. However, revoked tokens will still be valid if they are verified using any JWT library that verifies the signature and expiration of the token.

[sashee]

Cognito provides the userinfo endpoint that can be used to see if the token is revoken: https://docs.aws.amazon.com/cognito/latest/developerguide/userinfo-endpoint.html

I think the general view of JWTs is that they are valid until expiration and there is no additional check for revocation. On the other hand, it would be nice if a Cognito token is not valid anymore then it's not usable with AWS services anymore.

[onlybakam]

Hey @sashee , I'm going to close the issue, since there is no actionable item for us to take a this point.

I do want to share some general points on Cognito from SMEs:

1. JWT tokens by definition are self-contained with signature and validity and considered valid until it expires. Consumers of the token usually verify token signature which is the recommended way of verifying tokens.
2. If token is being used for sensitive resources or workloads like financial transactions, Cognito recommends using shorter TTL for tokens (Cognito supports TTL between 5 minutes to 24 hours).
3. Cognito doesn't support token introspection at this time, which means there is no API or endpoint to verify by Cognito if a token has been revoked and for that reason tokens are considered valid until they expire.
4. Customers who need to implement token introspection can do so using custom solutions like using proxy to Cognito endpoint and create a database of valid token IDs and checking against this database if token is still valid as part of token verification process. With this method, you would have to use a customer authorizer with Lambda.

Regarding the that endpoint: it has a pretty low request rate (see https://repost.aws/questions/QUQwK49qycQoeLVd4_BU1U0g/calling-user-pool-endpoint-has-any-quotas) and (https://docs.aws.amazon.com/cognito/latest/developerguide/limits.html) and is not recommended to use for authorization.

[sashee]

Makes sense, thanks for the clarification! I also did not know that the userinfo endpoint has low limits.