Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Removing a user from a group does not remove their access until they logout #5700

Closed
cjsedwards opened this issue May 6, 2020 · 7 comments
Closed
Labels
Auth Related to Auth components/category Cognito Related to cognito issues duplicate If marked with duplicate, issue will be closed & original will be added for traceability Service Team Issues asked to the Service Team

Comments

@cjsedwards
Copy link

Describe the bug
When using dynamic group authorization, if a user is removed from a cognito group, they still have full access until they log out and log back in.

To Reproduce
Steps to reproduce the behavior:

  1. Create an "Admin" user group in cognito
  2. Add a type with this attribute: @auth(rules: [{allow: groups, groups: ["Admin"], provider: userPools}])
  3. Add a user to the "Admin" group
  4. Login as that user
  5. Remove the user from the Admin group
  6. Try to access a resource in that only Admin should have access to

Expected behavior
The operations should not be successful, because the user is not a member of the Admin group

@cjsedwards cjsedwards added the to-be-reproduced Used in order for Amplify to reproduce said issue label May 6, 2020
@jordanranz jordanranz added Auth Related to Auth components/category Cognito Related to cognito issues Service Team Issues asked to the Service Team and removed to-be-reproduced Used in order for Amplify to reproduce said issue labels May 6, 2020
@jordanranz
Copy link
Contributor

Related to: #3730 (comment)

@cjsedwards
Copy link
Author

Digging into this more, I think this may actually be a bug in AppSync rather than Amplify. The way Amplify is performing these dynamic group authorizations is it generates AppSync resolvers that build a custom condition using the contents of:

$ctx.identity.claims.get("cognito:groups")

If the contents of this are not reliable, then Amplify's resolver won't stand a chance.

@cjsedwards
Copy link
Author

@jordanranz If this is the case, would this need to be submitted directly to the AppSync team?

@ericclemmons
Copy link
Contributor

The comment in #3730 (comment) seems most applicable, namely that tokens are considered valid until they expire, since the allowed groups are stored in the tokens themselves.

This is more related to how JWTs are compared at runtime vs. stateful, session-based services.

Mitigation depends on the security profile of the app & situation:

So if the JWT has information that hasn't been refreshed yet the client could still have access until the token expires. This is why you would need some sort of push mechanism based on a trigger event in the backend to force the client to refresh its token. This is totally up to what you think your security posture needs to be as most of the time for systems it's fine to let the token expire and refresh in an acceptable time period.

What level of mitigation best fits your situation?

@cjsedwards
Copy link
Author

In order for this to be effective server-side authentication, forcing a refresh in the client isn't a workable solution, as this would be a fairly big security hole.

@ericclemmons ericclemmons added the duplicate If marked with duplicate, issue will be closed & original will be added for traceability label May 11, 2020
@ericclemmons
Copy link
Contributor

Just checked with the Cognito team and we're tracking this in a related issue:

#3435 (comment)

Closing so we can track the progress there. Be sure to subscribe for updates!

@github-actions
Copy link

This issue has been automatically locked since there hasn't been any recent activity after it was closed. Please open a new issue for related bugs.

Looking for a help forum? We recommend joining the Amplify Community Discord server *-help channels or Discussions for those types of questions.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 11, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Auth Related to Auth components/category Cognito Related to cognito issues duplicate If marked with duplicate, issue will be closed & original will be added for traceability Service Team Issues asked to the Service Team
Projects
None yet
Development

No branches or pull requests

3 participants