Closed sashee closed 8 months ago
I believe this is a known behavior because JWTs are self-contained: https://docs.aws.amazon.com/cognito/latest/developerguide/token-revocation.html
JWT tokens are self-contained with a signature and expiration time that was assigned when the token was created. Revoked tokens can't be used with any Amazon Cognito API calls that require a token. However, revoked tokens will still be valid if they are verified using any JWT library that verifies the signature and expiration of the token.
Cognito provides the userinfo endpoint that can be used to see if the token is revoken: https://docs.aws.amazon.com/cognito/latest/developerguide/userinfo-endpoint.html
I think the general view of JWTs is that they are valid until expiration and there is no additional check for revocation. On the other hand, it would be nice if a Cognito token is not valid anymore then it's not usable with AWS services anymore.
Hey @sashee , I'm going to close the issue, since there is no actionable item for us to take a this point.
I do want to share some general points on Cognito from SMEs:
Regarding the that endpoint: it has a pretty low request rate (see https://repost.aws/questions/QUQwK49qycQoeLVd4_BU1U0g/calling-user-pool-endpoint-has-any-quotas) and (https://docs.aws.amazon.com/cognito/latest/developerguide/limits.html) and is not recommended to use for authorization.
Makes sense, thanks for the clarification! I also did not know that the userinfo endpoint has low limits.
AppSync apparently does not check whether an access token is revoked or not.
Reproduction: