cognito-local icon indicating copy to clipboard operation
cognito-local copied to clipboard

Published 20 hours ago verified publisher icon jagregory

AdminDisableUser does not revoke tokens

Open KristobalJunta opened this issue 1 year ago • 1 comments

There is an inconsistency in handling user tokens by cognito-local and "real" AWS Cognito.

  1. InitiateAuth API call with USER_PASSWORD_AUTH flow returns tokens, namely: AccessToken, IdToken, RefreshToken.

  2. If AdminDisableUser is called after that - user tokens are invalidated. As per documentation:

Deactivates a user and revokes all access tokens for the user.

  1. If a new InitiateAuth is attempted after that with REFRESH_TOKEN_AUTH flow and a token saved from p1 - real AWS Cognito returns an error, due to the token being revoked.

  2. On the other hand, cognito-local does not revoke tokens after p2 and the second InitiateAuth (p3) completes successfully.

KristobalJunta avatar Apr 21 '23 14:04 KristobalJunta