Cognito

How to invalidate Cognito-issued JWT tokens

The ability to invalidate a user’s session with immediate effect is a common enterprise requirement.

However, this goes against how token-based authentication is designed to work. JWT tokens are stateless and are typically short-lived (for security reasons) but can be refreshed with refresh tokens.

So, is it possible to invalidate Cognito-issued JWT tokens?

The short answer is no.

The long answer is yes, you can achieve this effect with some work and some performance overhead.

How? Well, come in and find out!

Biggest pre:Invent 2024 serverless announcements

DynamoDB cuts on-demand price by 50% Announcement DynamoDB has reduced on-demand pricing by 50% and global tables by up to 67%. Amazing! Lambda SnapStart is now available for Python and .Net Announcement Previously, SnapStart was only available for Java. It makes sense to add support for .Net. But why Python and not Node.js? I guess …

Biggest pre:Invent 2024 serverless announcements Read More »

Fine-grained access control in API Gateway with Cognito access token and scopes

In this post, we look at how you can implement fine-grained access control using Cognito access tokens and scopes. We will discuss the trade-offs of this approach and the cost implications of enabling Cognito’s Advanced Security Features (required for this approach to work).

Personally, I think this is too costly an approach and doesn’t offer enough upside in return.

Unless you’re using Advanced Security Features already, or your application has a high value per user (e.g. a B2B enterprise application), this approach may be difficult to justify in terms of return on investment.

Is it safe to use ID tokens with Cognito authorizers?

A common narrative is that one should always use access tokens to call your APIs, while ID tokens are strictly for identifying users.

But how much of that actually makes sense when you use Cognito authorizers with your API?

Are ID tokens inherently less secure?

What is the cost of using access tokens instead?

Ultimately, is it safe to use ID tokens, or should you switch to access tokens?

Fine-grained access control in API Gateway with Cognito groups & Lambda authorizer

Authentication and authorization are two distinct things.
API Gateway has built-in integration with Cognito, which handles authentication, but no fine-grained authorization.

There are many ways to implement a fine-grained authorization with API Gateway. In this new post, I will show you one of these ways and give you the pros & cons and when to use it.

This is a cost-efficient approach that leverages Cognito, but without needing its more expensive Advanced Security Features.

What’s the best way to migrate Cognito users to a new user pool?

The challenge with a Cognito User Pool migration is that the user password cannot be extracted from Cognito. This is a good thing. It shows that Cognito follows security best practices and does not store user passwords in plain text.

But it makes our lives more difficult during a Cognito User Pool migration.

In this post, let’s consider three approaches for migrating users to a new Cognito User Pool.

Implementing Magic Links with Amazon Cognito: A Step-by-Step Guide

Last week, we looked at implementing passwordless authentication using one-time passwords (OTPs) using Cognito [1]. Another popular passwordless authentication method is magic links where: The user initiates the sign-in process by entering their email in your application. They receive an email with a time-limited URL. The user clicks on the URL and is authenticated into …

Implementing Magic Links with Amazon Cognito: A Step-by-Step Guide Read More »

Passwordless Authentication made easy with Cognito: a step-by-step guide

Password-based authentication has long been the norm for securing user accounts. However, it is becoming increasingly clear that password-based authentication has several drawbacks. Such as the risk of password theft, the need for users to remember complex passwords, and the time and effort required to reset forgotten passwords. Fortunately, more and more websites have started …

Passwordless Authentication made easy with Cognito: a step-by-step guide Read More »

How to secure multi-tenant applications with AppSync and Cognito

One of the most common questions I get is “How do I build a multi-tenant application with AppSync and Cognito?”. If you google this topic on the internet you will no doubt come across many different opinions. It’s a topic that we’ll soon explore in the AppSync Masterclass but I want to take this opportunity …

How to secure multi-tenant applications with AppSync and Cognito Read More »

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close