AWS Cognito - Why is token still valid even User pool is changed or User is deleted (.Net core)

问题

I'm quite new to AWS Cognito and about token security. I decided to use AWS Cognito for may application. I followed the guide here for my web app and my web api.

https://dzone.com/articles/identity-as-a-service-idaas-aws-cognito-and-aspnet https://dzone.com/articles/identity-as-a-service-idaas-asp-net-core-api-and-a

Everything works fine. But when I try to create a new User pool in AWS Cognito and then change the appsetting for both web app and web api to use the new user pool, I found something quite weird.

1. (For the web app). User still can access controller action by the old token that belong to the old User pool that used before even the action is marked as [Authorize]. I don't know why user still can access with the old token even appsetting is set to the new User pool. (But User cannot access to the web api,that use new User pool, with the old token)

2. (For both web app and web api). Then I deleted that User from the old User pool and set web app and web api to use the old user pool. I found that User still can access both action in web app and web api even that User was deleted.

I think that it might be something that I missing about validation token or setting. Can anyone suggest about a solution to fix that?

回答1:

The ID Token issued by AWS Cognito User Pool is a JWT token, which is Signed By AWS. Once issued the token is valid for 1 hour. Within this 1 hour, there is no way of revoking the token since its stateless.

Amazon Cognito generates two RSA key pairs for each user pool. The private key of each pair is used to sign the respective ID token or access token. The public keys are made available at an address in this format:

https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/jwks.json

Since the public key is publically available, anyone can verify whether the JWT token is authentic and issued by AWS Cognito.

However, this involved multiple things to verify.

1. Validate the JWT Token Encoding whether its compliant with JWT standard.
2. Validate JWT Issuer, whether its the particular User Pool (Verify its ID).
3. Validate whether the token is an ID Token (Optional).
4. Validate the Audience of the Token (Whether it is issued for the particular App).
5. Validate Token Signature (This is where the public key is needed).
6. Validate whether the token is expired or not.

This information is already self-contained within the JWT token string properly encoded according to the JWT standard.

Therefore, even the Cognito User Pool is deleted, if there is a valid token (< 1 hour after issued), it should be valid, if the verification process uses a stored Public key to verify it.

来源：https://stackoverflow.com/questions/52023829/aws-cognito-why-is-token-still-valid-even-user-pool-is-changed-or-user-is-dele