I need to include the OTP expiration timestamp in the SMS for Cognito messages. Is there a way to do this?
Related
I am new to AWS Cognito. Based on description, Userpool is used for authentication. If I am a user in the userpool, I can use this user name and password to authenticate my identity. Why do I need to add App to userpool?
Thanks for help in advance,
AWS Cognito allows you to create a number of apps to integrate with your user pool. On each app, you can custom the Authentication flow, Access/Refresh token expiration, attribute read and write permissions, hostUI...
Use case: you use the same user pool for both apps but there are some custom like:
App A: just allow authentication via the ALLOW_USER_PASSWORD_AUTH and access token expiration is 5 minutes.
App B: just allow authentication via the ALLOW_USER_SRP_AUTH and access token expiration is 30 minutes.
Hope that's clear.
I am using the web UI forms provided by Cognito for user sign in to our site with an OAuth flow.
We have a use case where the user should be signed out of all logged in session across browsers.
Looking at the docs, it seems like AdminUserGlobalSignOut does exactly what we're after. However, after calling it the 'cognito' browser cookie saved for foo.auth.us-east-1.amazoncognito.com remains valid. The next time a user loads https://foo.auth.us-east-1.amazoncognito.com/oauth2/authorize they are forwarded to the callback url as if they're authenticated instead of being redirected to foo.auth.us-east-1.amazoncognito.com/login.
I assume this is because the cookie is not invalidated by calling AdminUserGlobalSignOut, however this seems like the exact purpose of this method.
Is this a bug or am I missing something required to log a user out globally?
I know it's kind of too late to answer, but I think this is due to the fact that Token and Cookie are independent of each other.
I think this is expected behavior because the AdminUserGlobalSignOut API is just a feature to revoke Refresh Token, not a feature to invalidate cookies issued by Cognito.
Also, as far as I know, there is no API to disable cookies issued by Cognito. I guess you have to use each Logout Endpoints.
Configuring a User Pool App Client - Amazon Cognito
https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-client-apps.html
Important
If you use Hosted UI and setup tokens less than an hour, the end user will be able to get new tokens based on their session cookie which is currently fixed at one hour.
AdminUserGlobalSignOut - Amazon Cognito Identity Provider
https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUserGlobalSignOut.html
Signs out users from all devices, as an administrator. It also invalidates all refresh tokens issued to a user. The user's current access and Id tokens remain valid until their expiry. Access and Id tokens expire one hour after they are issued.
LOGOUT Endpoint - Amazon Cognito
https://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.html
Is there a way to enforce password expiration policy on users in Amazon Cognito user pools?
It doesn't look like expiration is built into the password policy. You could track password expiration by adding a passwordUpdatedAt field and manually updating that attribute on user sign up and on changePassword. Then you could schedule something that queries users with expired passwords and call AdminResetUserPassword for those users. It would be somewhat more reliable if AWS published Cognito Userpoool User events like changePassword or just baked it into the service.
I am trying to connect cognito with api-key that I receive from the api-gateway. Every user have to receive several api-keys , and I want to know if their is a way in the api-gateway to mark that this api key belongs to some user.
Thanks
Is it possible to configure jwt token expiration time (exp property) for an Okta OpenId Connect application?
It seems to be set to 1 hour from issuing time (iat property) for both implicit and authorization code grants.
the expiration time of our OIDC tokens is not configurable and is indeed fixed to 1 hour. It's up to your app to use the refresh token and ask for a new access token (in the authorization code flow scenario) or simply call the authorize endpoint again to get a newer token (in the case of the implicit flow).