cognito-local
cognito-local copied to clipboard
AdminDisableUser does not revoke tokens
There is an inconsistency in handling user tokens by cognito-local and "real" AWS Cognito.
-
InitiateAuth API call with USER_PASSWORD_AUTH flow returns tokens, namely: AccessToken, IdToken, RefreshToken.
-
If AdminDisableUser is called after that - user tokens are invalidated. As per documentation:
Deactivates a user and revokes all access tokens for the user.
-
If a new InitiateAuth is attempted after that with REFRESH_TOKEN_AUTH flow and a token saved from p1 - real AWS Cognito returns an error, due to the token being revoked.
-
On the other hand, cognito-local does not revoke tokens after p2 and the second InitiateAuth (p3) completes successfully.