This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Would it be possible to pull a check on the user auth? We’re using AWS Cognito, and it would be cool to check if the user is in the pool or disabled during a sync.
You might be able to pseudo-fix this with setting the Refresh token expiration to a lesser number. I have my set to the min (1 day), which causes users to log in every 24 hours - this would cause a re-check of their group by default.
I’m checking with clients now to see what their users actually report.
For me, when I log into the app, it kicks me straight in (because I’ve already logged in) - there is no login check made. Which is exactly the problem I think you are seeing.
Even disabling or physically removing the user from the user-pool is not logging them out, preventing them from moving between applications, synchronizing data, or making changes. Uhh?!
So once a user has logged in, there is no way for me to prevent them accessing the applications, beyond asking them nicely to log out?
Edit:
This isn’t really a feature request; this is a massive security vulnerability when using Cognito that should be fixed.
I suppose a workaround for the time being is adding a security filter rule to all tables, to check against a user whitelist table. Although doing this will eliminate some of the benefits (e.g. delta sync).
We currently retain user login information in a browser cookie — this ensures that the user doesn’t have to sign too often. This is maintained for a long time (I think 60 days).
When we check app access control permissions, we are currently only checking that the user successfully signed in via that specific Cognito endpoint (but we do not check if they are still valid members). Point taken – we will add that.
The refresh token stuff is nothing to do with this. That is meant for a different kind of OAuth scenario, not the simple case we are using here.