javascript - Is it possible to revoke AWS Cognito IdToken?

Question

Is it possible to revoke AWS Cognito IdToken got after user authentication with it's username and password?

In my usecase the access to API Gateway endpoints is restricted by Cognito User Pool Authorizer which takes IdToken as an argument in request.headers.Authorizer. I am looking for way to block current user's IdToken.

In AWSJavaScriptSDK is a function globalSignOut({AccessToken}) which revokes the accessToken: http://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CognitoIdentityServiceProvider.html#globalSignOut-property

Is it possible to revoke the IdToken the same or similar way?

For interested: I've created an issue on aws-sdk-js: https://github.com/aws/aws-sdk-js/issues/1687

Answer 1

You are correct. The globalSignOut call revokes all tokens except the id token. The id token is a bearer token that is generally used with services outside of user pools. I am on the Cognito team, and we do have an integration roadmap on our calendar to have services that consume id tokens check back to see if those id tokens are valid and not accept invalid ones.