ashishdhingra
commented
2 years ago @IgorPietraszko Based on GlobalSignOut, it requires user's access token to sign out user from all the devices. It also mentions that the user's current access and ID tokens remain valid until their expiry. Access and Id tokens expire one hour after they're issued. You are right, RevokeToken appears to work for your scenario. For calling this API operation, you would need to use AWSSDK.CognitoIdentityProvider which must have been included by default if you are using Cognito extensions library.
Also take note of Revoking tokens which mentions that before you can revoke a token for an existing user pool client, you must enable token revocation.
Hope this helps.
IgorPietraszko
github-actions[bot]
This question is a follow up to issue 170 (https://github.com/aws/aws-aspnet-cognito-identity-provider/issues/170).
I have a use case where upon password change, I would like to sign this user out of all "active sessions" (e.g. an authenticated session in another browser).
To reset the password, I use the CognitoUser.ForgotPasswordAsync() followed by CognitoUser.ConfirmForgotPasswordAsync(). This all works fine and now I would like to ensure that all "active sessions" (for example other browsers) have also their sessions invalidated. When I call CognitoUser.GlobalSignOutAsync(), this does not seem to accomplish what I want. Is this due to the fact that a local session in another browser is not aware of the sign out (hence your reference to use something like WebSocket API) or does GlobalSignOut() not accomplish what I want (according to this, it does not invalidate current access tokens -> https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GlobalSignOut.html). Should I rather call RevokeToken (https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RevokeToken.html) but I am not sure which API exposes it?
Environment
Targeted .NET Platform: ASP.NET Core 3.1
This is a :question: general question