adminuserglobalsignout 不返回任何数据或不等待承诺
adminuserglobalsignout not returning any data or not awaiting promise
当由于 adminuserglobalsignout 而等待承诺时,承诺似乎 return 但数据不包含任何内容。
注销后的下一个调用是对用户进行身份验证。正确的 accessToken 是 returned 但它已经被撤销,这让我认为 promise 没有正确等待并且新的凭据正在被之前的调用注销,该调用仍然是 运行.
我们正在使用 globalsignout 来防止用户进行多个会话,因此工作流程符合
验证 -> 成功 -> 注销(终止任何其他会话) -> 验证 -> 成功 -> return 令牌
我更新了我的 lambda 包以包含最新的 SDK 版本 2.469.0,但没有任何改进。
有时时间必须正确,因为 returned 凭据仍然有效并且可以使用令牌。
在这两种情况下,return来自 AWS 调用的数据似乎为零
在用户库中调用注销方法的 lambda 代码部分
try {
signOutResult = await User.globalSignOut(userId, process.env.COGNITO_POOL);
} catch (err) {
log.error("AWS Global Signout Error: " + JSON.stringify(err));
responseBody = Helper.buildCORSResponse(502, JSON.stringify({ message: err }));
return callback(null, responseBody);
}
用户库中的 globalsignout 代码:
return new Promise((resolve, reject) => {
log.info(`globalSignOut: Signing ${Username} out from all devices in pool ${UserPoolId}`);
const signOutRequest = new AWS.CognitoIdentityServiceProvider({ apiVersion: "2016-04-18" }).adminUserGlobalSignOut({ Username, UserPoolId });
const signOutPromise = signOutRequest.promise();
signOutPromise.
then((data) => {
log.debug("globalSignOut: Cognito SignOut Success: " + JSON.stringify(data));
resolve(data);
}).catch((err) => {
log.error("globalSignOut: Cognito SignOut Error: " + err);
reject(err);
});
});
}
在每次调用中,我们都顺利解决问题,然后我们再次对用户进行身份验证。
log.debug("globalSignOut: Cognito SignOut Success: " + JSON.stringify(data));
resolve(data);
有没有人发现任何可能导致此问题的问题?我已经尝试了几种方法来指定承诺并使用适用于其他服务的相同格式,并在代码执行继续之前等待结果的承诺。
非常感谢所有建议
AWS Support 更新此行为以防其他人发现此问题。我可以确认在全局注销后 re-authenticating 用户之前添加一个小的延迟工作正常。
Thank you for getting back to us.
In order to troubleshoot this issue, I tried to replicate it on my end by testing the below mentioned flow (as provided by you in the ) :
Authenticate user —> Global Sign Out —> Authenticate again —-> Check the validity of the new token
I wrote a python code to implement the above flow. In the flow, after calling the globalSignOut method, I authenticated the user again and checked the validity of the token by making getUser API call. But, the getUser API call returned the following response : “An error occurred (NotAuthorizedException) when calling the GetUser operation: Access Token has been revoked”
Now, I added sleep function after the GlobalSignOut for 1 second and the flow worked correctly. I did a few tests with the sleep time and noticed that if we add a sleep period of 0.6 seconds or greater, the API works correctly. So, it seems that the GlobalSignOut API call returns the response immediately but, the global logging out process (revoking of tokens) still runs in the backend for approximately 0.6 seconds.
For this, I reached out to the Cognito development team to confirm this behavior of GlobalSignOut API call. The team has confirmed that this is an expected behavior of GlobalSignOut API call. When GlobalSignOut is called all the tokens that were issued before that time is considered invalid. If the gap between signout and authentication is very small ( from my tests, this is approximately 0.6 seconds ), the token issue after authentication can be treated to be issued before signout call and, for better security, is considered invalid.
I hope that the above information helps. If there is anything else I can do to help, please let me know. I will be more than happy to assist you.
Have a great day ahead.
Best regards,
Amazon Web Services
当由于 adminuserglobalsignout 而等待承诺时,承诺似乎 return 但数据不包含任何内容。
注销后的下一个调用是对用户进行身份验证。正确的 accessToken 是 returned 但它已经被撤销,这让我认为 promise 没有正确等待并且新的凭据正在被之前的调用注销,该调用仍然是 运行.
我们正在使用 globalsignout 来防止用户进行多个会话,因此工作流程符合
验证 -> 成功 -> 注销(终止任何其他会话) -> 验证 -> 成功 -> return 令牌
我更新了我的 lambda 包以包含最新的 SDK 版本 2.469.0,但没有任何改进。
有时时间必须正确,因为 returned 凭据仍然有效并且可以使用令牌。
在这两种情况下,return来自 AWS 调用的数据似乎为零
在用户库中调用注销方法的 lambda 代码部分
try {
signOutResult = await User.globalSignOut(userId, process.env.COGNITO_POOL);
} catch (err) {
log.error("AWS Global Signout Error: " + JSON.stringify(err));
responseBody = Helper.buildCORSResponse(502, JSON.stringify({ message: err }));
return callback(null, responseBody);
}
用户库中的 globalsignout 代码:
return new Promise((resolve, reject) => {
log.info(`globalSignOut: Signing ${Username} out from all devices in pool ${UserPoolId}`);
const signOutRequest = new AWS.CognitoIdentityServiceProvider({ apiVersion: "2016-04-18" }).adminUserGlobalSignOut({ Username, UserPoolId });
const signOutPromise = signOutRequest.promise();
signOutPromise.
then((data) => {
log.debug("globalSignOut: Cognito SignOut Success: " + JSON.stringify(data));
resolve(data);
}).catch((err) => {
log.error("globalSignOut: Cognito SignOut Error: " + err);
reject(err);
});
});
}
在每次调用中,我们都顺利解决问题,然后我们再次对用户进行身份验证。
log.debug("globalSignOut: Cognito SignOut Success: " + JSON.stringify(data));
resolve(data);
有没有人发现任何可能导致此问题的问题?我已经尝试了几种方法来指定承诺并使用适用于其他服务的相同格式,并在代码执行继续之前等待结果的承诺。
非常感谢所有建议
AWS Support 更新此行为以防其他人发现此问题。我可以确认在全局注销后 re-authenticating 用户之前添加一个小的延迟工作正常。
Thank you for getting back to us.
In order to troubleshoot this issue, I tried to replicate it on my end by testing the below mentioned flow (as provided by you in the ) :
Authenticate user —> Global Sign Out —> Authenticate again —-> Check the validity of the new token
I wrote a python code to implement the above flow. In the flow, after calling the globalSignOut method, I authenticated the user again and checked the validity of the token by making getUser API call. But, the getUser API call returned the following response : “An error occurred (NotAuthorizedException) when calling the GetUser operation: Access Token has been revoked”
Now, I added sleep function after the GlobalSignOut for 1 second and the flow worked correctly. I did a few tests with the sleep time and noticed that if we add a sleep period of 0.6 seconds or greater, the API works correctly. So, it seems that the GlobalSignOut API call returns the response immediately but, the global logging out process (revoking of tokens) still runs in the backend for approximately 0.6 seconds.
For this, I reached out to the Cognito development team to confirm this behavior of GlobalSignOut API call. The team has confirmed that this is an expected behavior of GlobalSignOut API call. When GlobalSignOut is called all the tokens that were issued before that time is considered invalid. If the gap between signout and authentication is very small ( from my tests, this is approximately 0.6 seconds ), the token issue after authentication can be treated to be issued before signout call and, for better security, is considered invalid.
I hope that the above information helps. If there is anything else I can do to help, please let me know. I will be more than happy to assist you.
Have a great day ahead.
Best regards,
Amazon Web Services