I have an application and I use Cognito + Identity provider to use google accounts as my users. In Cognito, I have several groups, and in my application itself admin users can add users to groups, remove them from groups, and so on. The thing is, for these changes in the user to be reflected, the affected user needs to logout and in again in the application.
Having a new token fetched on every page load/request does not seem like a good practice. Therefore, I was looking for a Cognito function that would allow me to log a certain user from all it's active sessions. I looked for functions such as logout and revoke, but they require that I have the affected user's access token - which I obviously don't. After that I started playing around with other functions that could have the same effect, such as AdminForgetDevice - I thought that by forgetting a device maybe Cognito would log you out, but that is just used for 2FA, which my application doesn't support.
Seems to me a pretty basic thing what I'm trying to do, and kind of impossible to think that Cognito doesn't support it. Am I asking the wrong question? Is there an endpoint to accomplish this, or a different token-retrieval approach that I should use? I just want to make sure that if a user's groups were changed, those changes reflect immediately. My approach right now is forcing all that user's sessions to end.
I reached out to AWS support asking about this, and their official answer is that Cognito has no action to end all sessions of a specific user immediately. But I came to a solution on my own. You have two options:
1. User global signout and wait 1 hour until the user session is expired.
Not a fan of this solution. If you removed access from a user, makes no sense that the user can still use their old permissions for an hour.
2. Make your interface aware that the user should be logged out and use the logout function
This is the approach I'm going with. The moment an administrator changes a user's permissions, I am creating a notification for that user. The interface, once the user accesses it, know that there have been changes to that user because of the notification. The interface, then, in possession of the user's accessToken, can simply call the logout function.