You can revoke a refresh token for a user using the AWS API. When you revoke a refresh token, all access tokens that were previously issued by that refresh token become invalid. The other refresh tokens issued to the user are not affected.
The question is, given the same User Pool and ClientId, would a login from 2 different browsers by the same user (same login credentials) receive the same access and refresh tokens and would RevokeTokenAsync() call invalidate both refresh tokens, another words, would both sessions' refresh tokens become invalid?
In case of JWT tokens, since they are self contained (as the article states further), would RevokeTokenAsync() have to be coupled with the issuance of a new JWT token that is expired?
The Question
This is a general question regarding
IAmazonCognitoIdentityProvider.RevokeTokenAsync()and related to https://github.com/aws/aws-aspnet-cognito-identity-provider/issues/170. AWS documentation for Revoke Token (https://docs.aws.amazon.com/cognito/latest/developerguide/token-revocation.html) states that:You can revoke a refresh token for a user using the AWS API. When you revoke a refresh token, all access tokens that were previously issued by that refresh token become invalid. The other refresh tokens issued to the user are not affected.
The question is, given the same User Pool and ClientId, would a login from 2 different browsers by the same user (same login credentials) receive the same access and refresh tokens and would RevokeTokenAsync() call invalidate both refresh tokens, another words, would both sessions' refresh tokens become invalid?
In case of JWT tokens, since they are self contained (as the article states further), would RevokeTokenAsync() have to be coupled with the issuance of a new JWT token that is expired?
Environment
This is a :question: general question