AWS cognito documentation change
Summary
Updated token revocation documentation with expanded details about revocation behavior, added console configuration steps, and restructured content organization
Security assessment
The changes provide more detailed explanations about token revocation security implications (e.g., revoked tokens remain invalid after re-enabling users/clients, client ID requirements for revocation). However, there's no evidence this addresses a newly discovered vulnerability - rather it enhances documentation of existing security controls.
Diff
diff --git a/cognito/latest/developerguide/token-revocation.md b/cognito/latest/developerguide/token-revocation.md index a51405685..39860b474 100644 --- a//cognito/latest/developerguide/token-revocation.md +++ b//cognito/latest/developerguide/token-revocation.md @@ -21 +21 @@ The [revoke endpoint](./revocation-endpoint.html) revokes a given refresh token -**GlobalSignOut** +**GlobalSignOut operation** @@ -26 +26 @@ The [revoke endpoint](./revocation-endpoint.html) revokes a given refresh token -**AdminUserGlobalSignOut** +**AdminUserGlobalSignOut operation** @@ -31 +31 @@ The [revoke endpoint](./revocation-endpoint.html) revokes a given refresh token -###### Note +###### Things to know about revoking tokens @@ -33 +33 @@ The [revoke endpoint](./revocation-endpoint.html) revokes a given refresh token -User pool JWTs are self-contained with a signature and expiration time that was assigned when the token was created. Revoked tokens can't be used with any Amazon Cognito API calls that require a token. However, revoked tokens will still be valid if they are verified using any JWT library that verifies the signature and expiration of the token. + * Your request to revoke a refresh token must include the client ID that was used to obtain the token. @@ -35 +35 @@ User pool JWTs are self-contained with a signature and expiration time that was -You can revoke a refresh token for a user pool client with token revocation enabled. When you create a new user pool client, token revocation is enabled by default. + * User pool JWTs are self-contained with a signature and expiration time that was assigned when the token was created. Revoked tokens can't be used with any Amazon Cognito API calls that require a token. However, revoked tokens will still be valid if they are verified using any JWT library that verifies the signature and expiration of the token. @@ -37 +37,11 @@ You can revoke a refresh token for a user pool client with token revocation enab -## Enable token revocation + * When you create a new user pool client, token revocation is enabled by default. + + * You can revoke refresh tokens only in app clients with token revocation enabled. + + * After you enable token revocation, new claims are added in the Amazon Cognito JSON Web Tokens. The `origin_jti` and `jti` claims are added to access and ID tokens. These claims increase the size of the application client access and ID tokens. + + * When you disable token revocation in an app client where it was previously enabled, revoked tokens don't become active again. + + * When you [disable a user account](./how-to-manage-user-accounts.html#manage-user-accounts-enable-disable) (which revokes refresh and access tokens), the revoked tokens don't become active if you enable the user account again. + + * When you create a new user pool client using the AWS Management Console, the AWS CLI, or the AWS API, token revocation is enabled by default. @@ -39 +48,0 @@ You can revoke a refresh token for a user pool client with token revocation enab -Before you can revoke a token for an existing user pool client, you must enable token revocation. You can enable token revocation for existing user pool clients using the AWS CLI or the AWS API. To do this, call the `aws cognito-idp describe-user-pool-client` CLI command or the `DescribeUserPoolClient` API operation to retrieve the current settings from your app client. Then call the `aws cognito-idp update-user-pool-client` CLI command or the `UpdateUserPoolClient` API operation. Include the current settings from your app client and set the `EnableTokenRevocation` parameter to `true`. @@ -41 +49,0 @@ Before you can revoke a token for an existing user pool client, you must enable -When you create a new user pool client using the AWS Management Console, the AWS CLI, or the AWS API, token revocation is enabled by default. @@ -43 +50,0 @@ When you create a new user pool client using the AWS Management Console, the AWS -After you enable token revocation, new claims are added in the Amazon Cognito JSON Web Tokens. The `origin_jti` and `jti` claims are added to access and ID tokens. These claims increase the size of the application client access and ID tokens. @@ -45 +52,5 @@ After you enable token revocation, new claims are added in the Amazon Cognito JS -To create or modify an app client with token revocation enabled, include the following parameter in your [CreateUserPoolClient](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPoolClient.html) or [UpdateUserPoolClient](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPoolClient.html) API request. +## Enable token revocation + +Before you can revoke a token for an existing user pool client, you must enable token revocation. You can enable token revocation for existing user pool clients using the AWS CLI or the AWS API. To do this, call the `aws cognito-idp describe-user-pool-client` CLI command or the `DescribeUserPoolClient` API operation to retrieve the current settings from your app client. Then call the `aws cognito-idp update-user-pool-client` CLI command or the `UpdateUserPoolClient` API operation. Include the current settings from your app client and set the `EnableTokenRevocation` parameter to `true`. + +To create or modify an app client with token revocation enabled with the Amazon Cognito API or with an AWS SDK, include the following parameter in your [CreateUserPoolClient](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPoolClient.html) or [UpdateUserPoolClient](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPoolClient.html) API request. @@ -50,0 +62,2 @@ To create or modify an app client with token revocation enabled, include the fol +To configure token revocation in the Amazon Cognito console, select an app client from the **App clients** menu in your user pool. Select the **Edit** button in **App client information** and enable or disable token revocation under **Advanced configuration**. + @@ -55,4 +67,0 @@ You can revoke a refresh token using a [RevokeToken](https://docs.aws.amazon.com -###### Note - -Your request to revoke a refresh token must include the client ID that was used to obtain the token. -