Verify don't check tokens invalidated with GlobalSignOut

[almeidapaulooliveira]

After sign out the user by going into the Cognito panel and globally signing out (GlobalSignOut), the verification should fail. However, the verification check passed instead.

Version

I'm using Node.js 18 with TypeScript on the server.

Steps to Reproduce

• Log in to Cognito and retrieve a token.
• Validate the token (successful validation).
• Go to the AWS Cognito console and globally sign out the user (Action / Sign out user).
• Verify the token again.
• The verification does not fail as expected.

[almeidapaulooliveira]

More info

This is a snippet of the code I'm using to properly verify the token. I'm using the cognitoVerifier only to check the token's integrity, but I'm making an additional call to the Cognito API to validate the token.

private async verifyToken(token: string): Promise<{ sub: string }> {
    try {
        const result = await this.cognitoVerifier.verify(token);  

        // Call Cognito's GetUser API to verify the token
        const command = new GetUserCommand({ AccessToken: token });
        await this.cognitoClient.send(command);

        return result;
    } catch (e) {
        this.logger.log('Error verifying token', e);
        throw new UnauthorizedException();
    }
}

In this case, GetUserCommand throws NotAuthorizedException: Access Token has been revoked, correctly.

[ottokruse]

Hi @almeidapaulooliveira

Please read the comment in https://github.com/awslabs/aws-jwt-verify/issues/151 which explains why we consider this to work as it should, and share any new insights.

Thank you for the code sample, that may help other users in scenarios where this additional check is warranted.

[almeidapaulooliveira]

Thank you, Otto. It's clear now. Great explanation about different JWT approaches, by the way.