User sign-out

[taraunekh]

I just started to use this kit, and I am trying to understand how to sign out user?

[adam-fowler]

Hi Laynel,

Once you have an accessToken or idToken there is no sign out. Access and id tokens are valid for an hour. If you don't refresh your tokens they can't be used.

You can do a global sign out, which will sign out across all devices and invalidate all access, id and refresh tokens. Using the CognitoIdentityProvider function globalSignOut. See AWS documentation https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GlobalSignOut.html and actual code in Soto https://github.com/soto-project/soto/blob/def7fd6835f6f7a42664d5158d5a79d9c417e452/Sources/Soto/Services/CognitoIdentityProvider/CognitoIdentityProvider_API.swift#L392

[taraunekh]

Thanks for your response, Adam.

I managed to use CognitoIdentityProvider to revoke refresh token on sign out, so it can't be used to refresh access and id tokens.

let revokeTokenRequest = CognitoIdentityProvider.RevokeTokenRequest(clientId: clientId, token: refreshToken)
let revokeTokenResponse = try? await identityProvider.revokeToken(revokeTokenRequest)

I was also reading about OAuth 2 auth flows. Isn't the Authorization code grant with PKCE a recommended way to authenticate users in native and browsers apps? Even when we are not using Hosted UI. Thus tokens are never actually sent to the client

https://aws.amazon.com/blogs/mobile/understanding-amazon-cognito-user-pool-oauth-2-0-grants/
https://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html

[adam-fowler]

Hi,

I missed revokeToken. I guess that is pretty much what you were asking for initially.

Regarding recommended method for authentication I'm not sure there is a recommended method either way. It depends on what you want. As I understand it, when a web app uses the OAuth2 auth flow, it still sends the access and id tokens to the web app. A server app would need to use the user pools api, and not the OAuth2 auth flow.