search

awslabs / aws-jwt-verify

JS library for verifying JWTs signed by Amazon Cognito, and any OIDC-compatible IDP that signs JWTs with RS256, RS384, RS512, ES256, ES384, and ES512
Apache License 2.0
633 stars 45 forks source link

after logout token is not getting expired able to hit apis and get data #151

Closed NavnathGunjal7 closed 10 months ago

NavnathGunjal7 commented 10 months ago

Describe the bug

  1. if I do global sign out of cognito, library not able to know that the token is expired when I do any update call to cognito via access token then it is the token expired but the library not able to catch it

Versions version - 4.0.0 using - node js node version - above 18 typescript version - 5.2.2

To Reproduce

  1. login to application in two browsers
  2. logout from one of them --> used global signout of cognito
  3. The token is not expired, it can pass aws-verify library
  4. but if I call cognito with that access token cognito is throwing token expired
ottokruse commented 10 months ago

Thanks for reporting this. We do not consider this behavior a bug though, this is expected behavior. This library verifies the JWT using the user pool's public key, but does not check with the user pool if the token was revoked. This is because this library is intended to be used in API endpoints, where you need JWT verification to be as fast as possible.

This behavior is consistent with most JWT verification implementations. In many auth scenario's it's not desirable to also check the upstream IDP for token revocation, as that would add latency––and defeats the purpose of JWT. One of the best selling points of JWT is, that you can verify them very fast locally (using cryptographic verification), without needing to reach out to the issuing IDP (except once initially to get the IDPs public key, to verify the JWTs with). JWTs are stateless, unlike e.g. session cookies.

Adding this check against the IDP, Cognito in this case, is possible, but you probably want to add some caching, say of 5 minutes, to not have to reach out to Cognito everytime you see the same JWT. However another, better, approach then is to configure the Cognito JWTs to have an expiry of only 5 minutes (you can configure this on the User Pool client). Same end result, but a faster and simpler implementation.

That's the general answer to this particular concern (related to the concern of JWTs being stolen): a short expiry is your best mitigation against threats.

Anyway be that as it may, we can also see that there's cases where you'd want to do the effort of verifying a JWT upstream with the IDP. However currently Cognito doesn't have an endpoint that allows you to check a JWT like that (but you could check it by testing the JWT against an actual Cognito endpoint, if it works it's valid). That however is not part of this library, nor have we yet been convinced that it should.

Hope that explanation helps!