Closed IgorPietraszko closed 2 years ago
@IgorPietraszko Based on GlobalSignOut, it requires user's access token to sign out user from all the devices. It also mentions that the user's current access and ID tokens remain valid until their expiry. Access and Id tokens expire one hour after they're issued. You are right, RevokeToken appears to work for your scenario. For calling this API operation, you would need to use AWSSDK.CognitoIdentityProvider which must have been included by default if you are using Cognito extensions library.
Also take note of Revoking tokens which mentions that before you can revoke a token for an existing user pool client, you must enable token revocation.
Hope this helps.
It is interesting that while IAmazonCognitoIdentityProvider
was being injected by the DI, I needed to add AWSSDK.CognitoIdentityProvider
Nuget explicitly to access its RevokeTokenAsync()
method. Thanks, this answers my questions.
Again, great help from @ashishdhingra. It is immensely helpful to have access to AWS SDK developers and have them provide answers and guidance in such a prompt fashion. Thanks.
Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.
This question is a follow up to issue 170 (https://github.com/aws/aws-aspnet-cognito-identity-provider/issues/170).
I have a use case where upon password change, I would like to sign this user out of all "active sessions" (e.g. an authenticated session in another browser).
To reset the password, I use the CognitoUser.ForgotPasswordAsync() followed by CognitoUser.ConfirmForgotPasswordAsync(). This all works fine and now I would like to ensure that all "active sessions" (for example other browsers) have also their sessions invalidated. When I call CognitoUser.GlobalSignOutAsync(), this does not seem to accomplish what I want. Is this due to the fact that a local session in another browser is not aware of the sign out (hence your reference to use something like WebSocket API) or does GlobalSignOut() not accomplish what I want (according to this, it does not invalidate current access tokens -> https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GlobalSignOut.html). Should I rather call RevokeToken (https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RevokeToken.html) but I am not sure which API exposes it?
Environment
Targeted .NET Platform: ASP.NET Core 3.1
This is a :question: general question