-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Removing a user from a group does not remove their access until they logout #5700
Comments
Related to: #3730 (comment) |
Digging into this more, I think this may actually be a bug in AppSync rather than Amplify. The way Amplify is performing these dynamic group authorizations is it generates AppSync resolvers that build a custom condition using the contents of: $ctx.identity.claims.get("cognito:groups") If the contents of this are not reliable, then Amplify's resolver won't stand a chance. |
@jordanranz If this is the case, would this need to be submitted directly to the AppSync team? |
The comment in #3730 (comment) seems most applicable, namely that tokens are considered valid until they expire, since the allowed groups are stored in the tokens themselves. This is more related to how JWTs are compared at runtime vs. stateful, session-based services. Mitigation depends on the security profile of the app & situation:
What level of mitigation best fits your situation? |
In order for this to be effective server-side authentication, forcing a refresh in the client isn't a workable solution, as this would be a fairly big security hole. |
Just checked with the Cognito team and we're tracking this in a related issue: Closing so we can track the progress there. Be sure to subscribe for updates! |
This issue has been automatically locked since there hasn't been any recent activity after it was closed. Please open a new issue for related bugs. Looking for a help forum? We recommend joining the Amplify Community Discord server |
Describe the bug
When using dynamic group authorization, if a user is removed from a cognito group, they still have full access until they log out and log back in.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
The operations should not be successful, because the user is not a member of the Admin group
The text was updated successfully, but these errors were encountered: