Cannot sign out the user from AWS Cognito

Question

I have set up an API Gateway authenticated using AWS Cognito. Once the user signs in, I use the following script to verify their credentials:

const cognitoidentityserviceprovider = new AWS.CognitoIdentityServiceProvider();
const params = {
    AuthFlow: 'ADMIN_NO_SRP_AUTH',
    ClientId: APP_CLIENT_ID,
    UserPoolId: USER_POOL_ID,
    AuthParameters: {
        'USERNAME': username,
        'PASSWORD': password,
    },
};
return cognitoidentityserviceprovider.adminInitiateAuth(params)
    .promise();

And this will return a JSON like so:

{
    "ChallengeParameters": {},
    "AuthenticationResult": {
        "AccessToken": "....",
        "ExpiresIn": 3600,
        "TokenType": "Bearer",
        "RefreshToken": "....",
        "IdToken": "...."
    }
}

On the client side, I will take note of the IdToken and include it as a header with a name mentioned in the API Gateway's Authorizer.

Now, I'm trying to create a lambda function to sign the user out. So far, I've got this:

const cognitoidentityserviceprovider = new AWS.CognitoIdentityServiceProvider();

const params = {
    UserPoolId: USER_POOL_ID,
    Username: username,
};
return cognitoidentityserviceprovider.adminUserGlobalSignOut(params)
    .promise();

When I send a request to call this code, even though everything works just fine (no error is thrown), but the IdToken is still valid and I can still call authenticated requests with it. My question is, what is the proper way of signing out a user and why this is not working?

Answer 1

You are right. This is the current behavior of Amazon Cognito Tokens. If you do global signout than your accessToken and RefreshToken will be expired.

But your IdToken will be still valid till 1 hour.

If you call the Global SignOut again, Than you will see the message that access token is expired

I hope this helps!