无法从 AWS Cognito 注销用户 [英] Cannot sign out the user from AWS Cognito

问题描述

我已经设置了一个使用 AWS Cognito 进行身份验证的 API 网关.用户登录后，我使用以下脚本验证他们的凭据:

I have set up an API Gateway authenticated using AWS Cognito. Once the user signs in, I use the following script to verify their credentials:

const cognitoidentityserviceprovider = new AWS.CognitoIdentityServiceProvider();
const params = {
    AuthFlow: 'ADMIN_NO_SRP_AUTH',
    ClientId: APP_CLIENT_ID,
    UserPoolId: USER_POOL_ID,
    AuthParameters: {
        'USERNAME': username,
        'PASSWORD': password,
    },
};
return cognitoidentityserviceprovider.adminInitiateAuth(params)
    .promise();

这将返回一个像这样的 JSON:

And this will return a JSON like so:

{
    "ChallengeParameters": {},
    "AuthenticationResult": {
        "AccessToken": "....",
        "ExpiresIn": 3600,
        "TokenType": "Bearer",
        "RefreshToken": "....",
        "IdToken": "...."
    }
}

在客户端，我将记下 IdToken 并将其作为标题包含在 API 网关的授权方中提到的名称中.

On the client side, I will take note of the IdToken and include it as a header with a name mentioned in the API Gateway's Authorizer.

现在，我正在尝试创建一个 lambda 函数来注销用户.到目前为止，我有这个:

Now, I'm trying to create a lambda function to sign the user out. So far, I've got this:

const cognitoidentityserviceprovider = new AWS.CognitoIdentityServiceProvider();

const params = {
    UserPoolId: USER_POOL_ID,
    Username: username,
};
return cognitoidentityserviceprovider.adminUserGlobalSignOut(params)
    .promise();

当我发送调用此代码的请求时，即使一切正常(没有抛出错误)，但 IdToken 仍然有效，我仍然可以使用它调用经过身份验证的请求.我的问题是，注销用户的正确方法是什么，为什么这不起作用?

When I send a request to call this code, even though everything works just fine (no error is thrown), but the IdToken is still valid and I can still call authenticated requests with it. My question is, what is the proper way of signing out a user and why this is not working?

推荐答案

你说得对.这是 Amazon Cognito 令牌的当前行为.如果您进行全局注销，则您的 accessToken 和 RefreshToken 将过期.

You are right. This is the current behavior of Amazon Cognito Tokens. If you do global signout than your accessToken and RefreshToken will be expired.

但您的 IdToken 将在 1 小时内仍然有效.

But your IdToken will be still valid till 1 hour.

如果再次调用 Global SignOut，您将看到访问令牌已过期

If you call the Global SignOut again, Than you will see the message that access token is expired

我希望这会有所帮助！

这篇关于无法从 AWS Cognito 注销用户的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！