是否可以撤销 AWS Cognito IdToken? [英] Is it possible to revoke AWS Cognito IdToken?

问题描述

是否可以使用 username 和 password 撤销在用户身份验证后获得的 AWS Cognito IdToken?

Is it possible to revoke AWS Cognito IdToken got after user authentication with it's username and password?

在我的用例中，对 API Gateway 端点的访问受到 Cognito User Pool Authorizer 的限制，它以 IdToken 作为 中的参数request.headers.Authorizer.我正在寻找阻止当前用户 IdToken 的方法.

In my usecase the access to API Gateway endpoints is restricted by Cognito User Pool Authorizer which takes IdToken as an argument in request.headers.Authorizer. I am looking for way to block current user's IdToken.

在 AWSJavaScriptSDK 中是一个函数 globalSignOut({AccessToken})，它撤销了 accessToken:http://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CognitoIdentityServiceProvider.html#globalSignOut-property

In AWSJavaScriptSDK is a function globalSignOut({AccessToken}) which revokes the accessToken: http://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CognitoIdentityServiceProvider.html#globalSignOut-property

是否可以以相同或类似的方式撤销IdToken?

Is it possible to revoke the IdToken the same or similar way?

感兴趣的人:我在 aws-sdk-js 上创建了一个问题:https://github.com/aws/aws-sdk-js/issues/1687

For interested: I've created an issue on aws-sdk-js: https://github.com/aws/aws-sdk-js/issues/1687

推荐答案

As @AllanFly120 在提到的主题中写道:

因为 IdToken 表示为 JSON Web Key Token，所以它是经过签名的带有秘密或私钥/公钥对，这意味着 即使您撤销IdToken，没有办法撤销分布式公开键.而且IdToken的生命周期很短，很快就会过期时间.

Because IdToken is represented as a JSON Web Key Token, it's signed with a secret or private/public key pairs, which means even if you revoke the IdToken, there is no way to revoke the distributed public key. And IdToken has a short life span, it will expire in a short time.

解决了我的疑惑.

这篇关于是否可以撤销 AWS Cognito IdToken?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！