feat: revoke tokens during auth sign out (#2415)

* feature: user pool token revocation model updates

* feature: revoke tokens if invalidate tokens specified

* Token revocation (#2532)

* feat(aws-android-sdk-cognitoidentityprovider): support custom endpoint

* feat(aws-android-sdk-cognitoidentityprovider): support custom endpoint unit tests

* feat(aws-android-sdk-cognitoidentityprovider): support custom endpoint unit tests

* feat(aws-android-sdk-machinelearning): update models to latest (#2407)

Co-authored-by: Richard McClellan <[email protected]>

* feat(aws-android-sdk-iot): update models to latest (#2408)

Co-authored-by: Richard McClellan <[email protected]>

* feat(aws-android-sdk-comprehend): update models to latest (#2409)

Co-authored-by: Richard McClellan <[email protected]>

* feat(aws-android-sdk-transcribe): update models to latest (#2410)

Co-authored-by: Richard McClellan <[email protected]>

* feat(aws-android-sdk-lex): update models to latest (#2413)

Co-authored-by: Richard McClellan <[email protected]>

* chore(lex): update service name for lex runtime (#2424)

* feat(aws-android-sdk-kinesisvideo-archivedmedia): update models to latest (#2422)

* Revert "feat(aws-android-sdk-cognitoidentityprovider): support custom endpoint" (#2425)

Co-authored-by: Richard McClellan <[email protected]>

* release: 2.22.6 (#2426)

* fix(mobile-client): missing optional dependency warning removed (#2427)

* fix(mobile-client): missing optional dependency warning removed

* make comment more descriptive

* chore: add fastlane scripts for release automation (#2428)

* fix: change protocol for github import (#2429)

* fix(s3): remove eTag validation logic (#2419)

* chore(build): use in-memory key in CI (#2449)

* change the time offset precision from int to long (#2448)

**Notes:**

The clockskew auto-correct logic in the SDK relies on the `int`
primitive type when calculating the offset. When the offset is converted
from milliseconds to days, the ms represented as an `int` have the
boundaries as -24 and +24 days. Changing it to long (64-bit precision)
fixes the limit.

* fix(s3): force upload part tasks to be serial (#2447)

* feat(aws-android-sdk-core): update models to latest (#2445)

Co-authored-by: Richard McClellan <[email protected]>

* release: AWS SDK for Android 2.22.7 (#2451)

* release: AWS SDK for Android 2.23.0

* Update CHANGELOG.md

Co-authored-by: Richard McClellan <[email protected]>

* Update CHANGELOG.md

* Update gradle.properties

* Update CHANGELOG.md

* Update CHANGELOG.md

Co-authored-by: awsmobilesdk-dev+ghops <[email protected]>
Co-authored-by: Chang Xu <[email protected]>
Co-authored-by: Richard McClellan <[email protected]>

* "feat(aws-android-sdk-cognitoidentityprovider): support custom endpoint" (#2455)

* fix(pinpoint): add campaign attributes to push events (#2458)

* release: AWS SDK for Android 2.23.0 (#2459)

* release: AWS SDK for Android 2.22.8

* Update CHANGELOG.md

* Update CHANGELOG.md

* Update CHANGELOG.md

* Update gradle.properties

Co-authored-by: awsmobilesdk-dev+ghops <[email protected]>
Co-authored-by: Chang Xu <[email protected]>

* feat(aws-android-sdk-sns): update models to latest (#2461)

* feat(aws-android-sdk-cognitoidentityprovider): update models to latest (#2456)

Co-authored-by: Raphael Kim <[email protected]>

* chore(build): set region in circleci script (#2467)

* fix: launch hosted-ui sign-out using custom tabs manager (#2472)

* feat(mobile-client): hosted-ui auth response handler is now built into redirect activity (#2473)

* feat(mobile-client): auth response handler is now built into redirect activity

* add javadocs for redirect activities

* add signout latch conditionally

* add no history flag to auth signout flow

* feat(aws-android-sdk-connect): update models to latest (#2469)

Co-authored-by: Raphael Kim <[email protected]>

* feat(aws-android-sdk-transcribe): update models to latest (#2476)

Co-authored-by: Raphael Kim <[email protected]>

* feat(aws-android-sdk-rekognition): update models to latest (#2487)

Co-authored-by: Raphael Kim <[email protected]>

* feat(aws-android-sdk-iot): update models to latest (#2490)

Co-authored-by: Raphael Kim <[email protected]>
Co-authored-by: Rafael Juliano <[email protected]>

* feat(aws-android-sdk-location): update models to latest (#2494)

Co-authored-by: Raphael Kim <[email protected]>

* feat(aws-android-sdk-sns): update models to latest (#2496)

Co-authored-by: Raphael Kim <[email protected]>

* feat(aws-android-sdk-polly): update models to latest (#2497)

Co-authored-by: Raphael Kim <[email protected]>

* chore(sts): add support for regionalizing sts client (#2493)

* feat(sts): add support for regionalizing sts client

* feat(aws-android-sdk-mobile-client): adds signature with user attributes in confirmSignIn (#2492)

* feat(aws-android-sdk-mobile-client): adds signature with user attributes in confirmSignIn

* code review suggestion

Co-authored-by: Noyes <[email protected]>

* release: AWS SDK for Android 2.24.0 (#2500)

* release: AWS SDK for Android 2.24.0

* Reword the changelog

* include instruction for applying fix

Co-authored-by: awsmobilesdk-dev+ghops <[email protected]>
Co-authored-by: Raphael Kim <[email protected]>

* fix(aws-android-sdk-lex): prioritize custom lex signer for all regions (#2506)

* fix(aws-android-sdk-lex): prioritize custom lex signer for all regions

* add tests

* fix(mobileclient): Honor auth flow setting from config (#2499)

* fix(mobileclient): Honor auth flow setting from config

* PR feedback

* fix(aws-android-sdk-polly): use correct SignerConfig in all regions (#2505)

Co-authored-by: Raphael Kim <[email protected]>

* feat(aws-android-sdk-cognitoidentityprovider): update models to latest (#2510)

* release: AWS SDK for Android 2.25.0 (#2512)

Co-authored-by: awsmobilesdk-dev+ghops <[email protected]>

* chore(docs): releases not pushed to S3 anymore (#2514)

* fix(aws-android-sdk-s3): implement retry mechanism for upload part (#2504)

* implement retry mechanism for upload part

* reduce backoff time and max attempts

* lgtm warning

* feat(aws-android-sdk-connect): update models to latest (#2516)

* feat(aws-android-sdk-kms): update models to latest (#2518)

* release: AWS SDK for Android 2.26.0 (#2525)

Co-authored-by: awsmobilesdk-dev+ghops <[email protected]>

* feat(aws-android-sdk-connect): update models to latest (#2526)

Co-authored-by: Abhash Kumar Singh <[email protected]>
Co-authored-by: Abhash Kumar Singh <[email protected]>
Co-authored-by: Jameson Williams <[email protected]>
Co-authored-by: AWS Mobile SDK Team <[email protected]>
Co-authored-by: Richard McClellan <[email protected]>
Co-authored-by: Raphael Kim <[email protected]>
Co-authored-by: Rafael Juliano <[email protected]>
Co-authored-by: Daniel Rochetti <[email protected]>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: awsmobilesdk-dev+ghops <[email protected]>
Co-authored-by: Chang Xu <[email protected]>
Co-authored-by: Dustin Noyes <[email protected]>
Co-authored-by: Noyes <[email protected]>
Co-authored-by: tllauda <[email protected]>

* Update UserPoolClientType.java

remove duplicate vars.

* delete code for removed API

* fixes:
 - use access token to check claim
 - check for origin_jti claim
 - clientSecret is optional

* Update aws-android-sdk-cognitoidentityprovider/src/main/java/com/amazonaws/mobileconnectors/cognitoidentityprovider/CognitoUser.java

Co-authored-by: Richard McClellan <[email protected]>

* swallow exceptions

* update test mock classes with latest model changes

* add unit tests

* return revoketoken response result

Co-authored-by: Divyesh Chitroda <[email protected]>
Co-authored-by: Abhash Kumar Singh <[email protected]>
Co-authored-by: Abhash Kumar Singh <[email protected]>
Co-authored-by: AWS Mobile SDK Team <[email protected]>
Co-authored-by: Richard McClellan <[email protected]>
Co-authored-by: Raphael Kim <[email protected]>
Co-authored-by: Rafael Juliano <[email protected]>
Co-authored-by: Daniel Rochetti <[email protected]>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: awsmobilesdk-dev+ghops <[email protected]>
Co-authored-by: Chang Xu <[email protected]>
Co-authored-by: Dustin Noyes <[email protected]>
Co-authored-by: Noyes <[email protected]>
Co-authored-by: tllauda <[email protected]>
Co-authored-by: poojamat <[email protected]>

Author: 15 people

aws-android-sdk-cognitoidentityprovider/src/main/java/com/amazonaws/mobileconnectors/cognitoidentityprovider/CognitoUser.java

@@ -45,6 +45,7 @@
 import com.amazonaws.mobileconnectors.cognitoidentityprovider.tokens.CognitoIdToken;
 import com.amazonaws.mobileconnectors.cognitoidentityprovider.tokens.CognitoRefreshToken;
 import com.amazonaws.mobileconnectors.cognitoidentityprovider.util.CognitoDeviceHelper;
+import com.amazonaws.mobileconnectors.cognitoidentityprovider.util.CognitoJWTParser;
 import com.amazonaws.mobileconnectors.cognitoidentityprovider.util.CognitoSecretHash;
 import com.amazonaws.mobileconnectors.cognitoidentityprovider.util.CognitoServiceConstants;
 import com.amazonaws.mobileconnectors.cognitoidentityprovider.util.Hkdf;
@@ -83,6 +84,8 @@
 import com.amazonaws.services.cognitoidentityprovider.model.ResourceNotFoundException;
 import com.amazonaws.services.cognitoidentityprovider.model.RespondToAuthChallengeRequest;
 import com.amazonaws.services.cognitoidentityprovider.model.RespondToAuthChallengeResult;
+import com.amazonaws.services.cognitoidentityprovider.model.RevokeTokenRequest;
+import com.amazonaws.services.cognitoidentityprovider.model.RevokeTokenResult;
 import com.amazonaws.services.cognitoidentityprovider.model.SMSMfaSettingsType;
 import com.amazonaws.services.cognitoidentityprovider.model.SetUserMFAPreferenceRequest;
 import com.amazonaws.services.cognitoidentityprovider.model.SetUserMFAPreferenceResult;
@@ -2332,6 +2335,28 @@ private void deleteAttributesInternal(final List<String> attributeNamesToDelete,
         cognitoIdentityProviderClient.deleteUserAttributes(deleteUserAttributesRequest);
     }
 
+    public RevokeTokenResult revokeTokens() {
+        try {
+            CognitoUserSession cognitoUserSession = getCachedSession();
+            String accessToken = cognitoUserSession.getAccessToken().getJWTToken();
+            if (CognitoJWTParser.hasClaim(accessToken, "origin_jti")) {
+                String refreshToken = cognitoUserSession.getRefreshToken().getToken();
+                RevokeTokenRequest request = new RevokeTokenRequest();
+                request.setToken(refreshToken);
+                request.setClientId(clientId);
+                if (!StringUtils.isBlank(clientSecret)) {
+                    request.setClientSecret(clientSecret);
+                }
+                return cognitoIdentityProviderClient.revokeToken(request);
+            } else {
+                LOGGER.debug("Access Token does not contain `origin_jti` claim. Skip revoking tokens.");
+            }
+        } catch (final Exception e) {
+            LOGGER.warn("Failed to revoke tokens.", e);
+        }
+        return null;
+    }
+
     /**
      * Sign-Out this user by removing all cached tokens.
      */

aws-android-sdk-cognitoidentityprovider/src/main/java/com/amazonaws/mobileconnectors/cognitoidentityprovider/util/CognitoJWTParser.java

@@ -115,6 +115,20 @@ public static String getClaim(String jwt, String claim) {
         return null;
     }
 
+    /**
+     * Checks if a JWT token contains a claim.
+     * @param jwt A string, possibly not event a JWT
+     * @param key Key for a claim, e.g., "jti" or "aud"
+     * @return True if JWT is a valid JWT and contains the requested claim, false otherwise
+     */
+    public static boolean hasClaim(String jwt, String key) {
+        try {
+            return getPayload(jwt).has(key);
+        } catch (Exception e) {
+            return false;
+        }
+    }
+
     /**
      * Checks if {@code JWT} is a valid JSON Web Token.
      *

aws-android-sdk-mobile-client/src/androidTest/java/com/amazonaws/mobile/client/AWSMobileClientTest.java

@@ -31,6 +31,16 @@
 import com.amazonaws.mobile.client.results.Tokens;
 import com.amazonaws.mobile.client.results.UserCodeDeliveryDetails;
 import com.amazonaws.mobile.config.AWSConfiguration;
+import com.amazonaws.mobileconnectors.cognitoidentityprovider.CognitoDevice;
+import com.amazonaws.mobileconnectors.cognitoidentityprovider.CognitoUser;
+import com.amazonaws.mobileconnectors.cognitoidentityprovider.CognitoUserDetails;
+import com.amazonaws.mobileconnectors.cognitoidentityprovider.CognitoUserPool;
+import com.amazonaws.mobileconnectors.cognitoidentityprovider.CognitoUserSession;
+import com.amazonaws.mobileconnectors.cognitoidentityprovider.continuations.AuthenticationContinuation;
+import com.amazonaws.mobileconnectors.cognitoidentityprovider.continuations.ChallengeContinuation;
+import com.amazonaws.mobileconnectors.cognitoidentityprovider.continuations.MultiFactorAuthenticationContinuation;
+import com.amazonaws.mobileconnectors.cognitoidentityprovider.handlers.AuthenticationHandler;
+import com.amazonaws.mobileconnectors.cognitoidentityprovider.handlers.GetDetailsHandler;
 import com.amazonaws.regions.Region;
 import com.amazonaws.regions.Regions;
 import com.amazonaws.services.cognitoidentity.AmazonCognitoIdentity;
@@ -50,6 +60,7 @@
 import com.amazonaws.services.cognitoidentityprovider.model.ListUsersRequest;
 import com.amazonaws.services.cognitoidentityprovider.model.ListUsersResult;
 import com.amazonaws.services.cognitoidentityprovider.model.MessageActionType;
+import com.amazonaws.services.cognitoidentityprovider.model.NotAuthorizedException;
 import com.amazonaws.services.cognitoidentityprovider.model.ResourceNotFoundException;
 import com.amazonaws.services.cognitoidentityprovider.model.UserNotConfirmedException;
 import com.amazonaws.services.cognitoidentityprovider.model.UserType;
@@ -104,6 +115,7 @@ public class AWSMobileClientTest extends AWSMobileClientTestBase {
     private static final int THROTTLED_DELAY = 5000;
 
     static AmazonCognitoIdentityProvider userpoolLL;
+    static CognitoUserPool userPool;
 
     static {
         try {
@@ -117,6 +129,8 @@ public class AWSMobileClientTest extends AWSMobileClientTestBase {
     static Regions clientRegion = Regions.US_WEST_2;
     static String userPoolId;
     static String identityPoolId;
+    static String clientId;
+    static String clientSecret;
 
     Context appContext;
     AWSMobileClient auth;
@@ -226,13 +240,17 @@ public void onError(Exception e) {
         assertNotNull(userPoolConfig);
         clientRegion = Regions.fromName(userPoolConfig.getString("Region"));
         userPoolId = userPoolConfig.getString("PoolId");
+        clientId = userPoolConfig.getString("AppClientId");
+        clientSecret = userPoolConfig.optString("AppClientSecret");
 
         JSONObject identityPoolConfig =
                 awsConfiguration.optJsonObject("CredentialsProvider").getJSONObject(
                         "CognitoIdentity").getJSONObject("Default");
         assertNotNull(identityPoolConfig);
         identityPoolId = identityPoolConfig.getString("PoolId");
 
+        userPool = new CognitoUserPool(appContext, userPoolId, clientId, clientSecret, clientRegion);
+
         deleteAllUsers(userPoolId);
         createUserViaAdminAPI(userPoolId, USERNAME_ADMIN_API_USER, EMAIL_ADMIN_API_USER);
     }
@@ -413,6 +431,124 @@ public void onUserStateChanged(UserStateDetails details) {
         assertNotEquals(getPackageConfigure().getString("identity_id"), details.toString());
     }
 
+    @Test
+    public void testRevokeTokenWithSignedInUser() throws Exception {
+        auth.signIn(username, PASSWORD, null);
+        assertTrue("isSignedIn is true", auth.isSignedIn());
+
+        final AtomicReference<Boolean> tokenRevoked = new AtomicReference<Boolean>(false);
+        final CountDownLatch revokeTokenLatch = new CountDownLatch(2);
+        final CognitoUser user = userPool.getCurrentUser();
+        user.getSession(new AuthenticationHandler() {
+            @Override
+            public void onSuccess(CognitoUserSession userSession, CognitoDevice newDevice) {
+                revokeTokenLatch.countDown();
+            }
+
+            @Override
+            public void getAuthenticationDetails(AuthenticationContinuation authenticationContinuation, String userId) {
+
+            }
+
+            @Override
+            public void getMFACode(MultiFactorAuthenticationContinuation continuation) {
+
+            }
+
+            @Override
+            public void authenticationChallenge(ChallengeContinuation continuation) {
+
+            }
+
+            @Override
+            public void onFailure(Exception exception) {
+                exception.printStackTrace();
+                fail("Sign in failed.");
+            }
+        });
+
+        user.getDetails(new GetDetailsHandler() {
+            @Override
+            public void onSuccess(CognitoUserDetails cognitoUserDetails) {
+                revokeTokenLatch.countDown();
+            }
+
+            @Override
+            public void onFailure(Exception exception) {
+                exception.printStackTrace();
+                fail("Get user details failed.");
+            }
+        });
+
+        try {
+            user.revokeTokens();
+            tokenRevoked.set(true);
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+
+        revokeTokenLatch.await(5, TimeUnit.SECONDS);
+        assertTrue(tokenRevoked.get());
+
+        user.getDetails(new GetDetailsHandler() {
+            @Override
+            public void onSuccess(CognitoUserDetails cognitoUserDetails) {
+                fail("Request to get user details should fail with NotAuthorizedException after token is revoked.");
+            }
+
+            @Override
+            public void onFailure(Exception exception) {
+                assertTrue(exception instanceof NotAuthorizedException);
+            }
+        });
+    }
+
+    @Test
+    public void testRevokeTokenWithSignedOutUser() throws Exception {
+        auth.signIn(username, PASSWORD, null);
+        assertTrue("isSignedIn is true", auth.isSignedIn());
+
+        final CountDownLatch revokeTokenLatch = new CountDownLatch(1);
+        final CognitoUser user = userPool.getCurrentUser();
+        user.getSession(new AuthenticationHandler() {
+            @Override
+            public void onSuccess(CognitoUserSession userSession, CognitoDevice newDevice) {
+                revokeTokenLatch.countDown();
+            }
+
+            @Override
+            public void getAuthenticationDetails(AuthenticationContinuation authenticationContinuation, String userId) {
+
+            }
+
+            @Override
+            public void getMFACode(MultiFactorAuthenticationContinuation continuation) {
+
+            }
+
+            @Override
+            public void authenticationChallenge(ChallengeContinuation continuation) {
+
+            }
+
+            @Override
+            public void onFailure(Exception exception) {
+                exception.printStackTrace();
+                fail("Sign in failed.");
+            }
+        });
+        revokeTokenLatch.await(5, TimeUnit.SECONDS);
+
+        auth.signOut();
+        assertFalse("isSignedIn is false", auth.isSignedIn());
+
+        try {
+            user.revokeTokens();
+        } catch (Exception e) {
+            assertTrue(e instanceof InvalidParameterException);
+        }
+    }
+
     @Test
     public void testIdentityId() throws Exception {
         try {
@@ -524,6 +660,28 @@ public void testSignOut() throws Exception {
         }
     }
 
+    @Test
+    public void testSignedOutWithRevokeToken() throws Exception {
+        auth.signIn(username, PASSWORD, null);
+        assertTrue("isSignedIn is true", auth.isSignedIn());
+
+        String tokenWithOriginJTI = "eyJraWQiOiIwTmxhQUhzbmtwQW5zbHBzUFhHWkJKcVJoR3E5WTkwckwweXpaWUV1OTJZPSIsImFsZyI6IlJTMjU2In0.eyJvcmlnaW5fanRpIjoiMzM2MWFkZDMtMDIwNS00NTY1LTk0MjQtMDQ3YWQ2N2Y0MjhmZWwifQ.a";
+        setAccessToken(appContext, clientId, username, tokenWithOriginJTI);
+        auth.signOut();
+        assertFalse("isSignedIn is false", auth.isSignedIn());
+    }
+
+    @Test
+    public void testSignedOutWithoutRevokeToken() throws Exception {
+        auth.signIn(username, PASSWORD, null);
+        assertTrue("isSignedIn is true", auth.isSignedIn());
+
+        String tokenWithSub = "eyJraWQiOiJzU01EYmZyQ21pb3FrbEVRZFprNXl6UmszekxSTlo4aGlGMnlxdVFZbVM0PSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiI3YTQyNTFmMS04MmEyLTQxNzgtOWZhOS1mNmE3MTc1RCJ9.a";
+        setAccessToken(appContext, clientId, username, tokenWithSub);
+        auth.signOut();
+        assertFalse("isSignedIn is false", auth.isSignedIn());
+    }
+
     @Test(expected = com.amazonaws.services.cognitoidentityprovider.model.NotAuthorizedException.class)
     public void testSignInWrongPassword() throws Exception {
         AWSMobileClient.getInstance().signIn(getPackageConfigure().getString("username"), "wrong", null);

aws-android-sdk-mobile-client/src/androidTest/java/com/amazonaws/mobile/client/AWSMobileClientTestBase.java

@@ -71,6 +71,14 @@ public static void writeUserPoolsTokens(final Context appContext, final String c
         awsKeyValueStore.put(storeFieldPrefix + "refreshToken", "DummyRefresh");
     }
 
+    public static void setAccessToken(final Context appContext, final String clientId, final String username, final String accessToken) {
+        final AWSKeyValueStore awsKeyValueStore = new AWSKeyValueStore(appContext,
+                "CognitoIdentityProviderCache",
+                true);
+        String storeFieldPrefix = "CognitoIdentityProvider." + clientId + "." + username + ".";
+        awsKeyValueStore.put(storeFieldPrefix + "accessToken", accessToken);
+    }
+
     public static void writeUserPoolsTokens(final Context appContext,
                                             final String clientId,
                                             final String userId,

aws-android-sdk-mobile-client/src/androidTest/java/com/amazonaws/mobile/client/AbstractAmazonCognitoIdentity.java

@@ -42,6 +42,8 @@
 import com.amazonaws.services.cognitoidentity.model.GetOpenIdTokenForDeveloperIdentityResult;
 import com.amazonaws.services.cognitoidentity.model.GetOpenIdTokenRequest;
 import com.amazonaws.services.cognitoidentity.model.GetOpenIdTokenResult;
+import com.amazonaws.services.cognitoidentity.model.GetPrincipalTagAttributeMapRequest;
+import com.amazonaws.services.cognitoidentity.model.GetPrincipalTagAttributeMapResult;
 import com.amazonaws.services.cognitoidentity.model.ListIdentitiesRequest;
 import com.amazonaws.services.cognitoidentity.model.ListIdentitiesResult;
 import com.amazonaws.services.cognitoidentity.model.ListIdentityPoolsRequest;
@@ -53,6 +55,8 @@
 import com.amazonaws.services.cognitoidentity.model.MergeDeveloperIdentitiesRequest;
 import com.amazonaws.services.cognitoidentity.model.MergeDeveloperIdentitiesResult;
 import com.amazonaws.services.cognitoidentity.model.SetIdentityPoolRolesRequest;
+import com.amazonaws.services.cognitoidentity.model.SetPrincipalTagAttributeMapRequest;
+import com.amazonaws.services.cognitoidentity.model.SetPrincipalTagAttributeMapResult;
 import com.amazonaws.services.cognitoidentity.model.TagResourceRequest;
 import com.amazonaws.services.cognitoidentity.model.TagResourceResult;
 import com.amazonaws.services.cognitoidentity.model.UnlinkDeveloperIdentityRequest;
@@ -123,6 +127,11 @@ public GetOpenIdTokenForDeveloperIdentityResult getOpenIdTokenForDeveloperIdenti
         return null;
     }
 
+    @Override
+    public GetPrincipalTagAttributeMapResult getPrincipalTagAttributeMap(GetPrincipalTagAttributeMapRequest getPrincipalTagAttributeMapRequest) throws AmazonClientException, AmazonServiceException {
+        return null;
+    }
+
     @Override
     public ListIdentitiesResult listIdentities(ListIdentitiesRequest listIdentitiesRequest) throws AmazonClientException, AmazonServiceException {
         return null;
@@ -153,6 +162,11 @@ public void setIdentityPoolRoles(SetIdentityPoolRolesRequest setIdentityPoolRole
 
     }
 
+    @Override
+    public SetPrincipalTagAttributeMapResult setPrincipalTagAttributeMap(SetPrincipalTagAttributeMapRequest setPrincipalTagAttributeMapRequest) throws AmazonClientException, AmazonServiceException {
+        return null;
+    }
+
     @Override
     public TagResourceResult tagResource(TagResourceRequest tagResourceRequest) throws AmazonClientException, AmazonServiceException {
         return null;

aws-android-sdk-mobile-client/src/androidTest/java/com/amazonaws/mobile/client/AbstractAmazonCognitoIdentityProvider.java

@@ -434,6 +434,11 @@ public RespondToAuthChallengeResult respondToAuthChallenge(RespondToAuthChalleng
         return null;
     }
 
+    @Override
+    public RevokeTokenResult revokeToken(RevokeTokenRequest revokeTokenRequest) throws AmazonClientException, AmazonServiceException {
+        return null;
+    }
+
     @Override
     public SetRiskConfigurationResult setRiskConfiguration(SetRiskConfigurationRequest setRiskConfigurationRequest) throws AmazonClientException, AmazonServiceException {
         return null;

aws-android-sdk-mobile-client/src/main/java/com/amazonaws/mobile/client/AWSMobileClient.java

@@ -1611,6 +1611,9 @@ public Void run() throws Exception {
                     userpoolLL.globalSignOut(globalSignOutRequest);
                 }
                 if (signOutOptions.isInvalidateTokens()) {
+                    if (userpool != null) {
+                        userpool.getCurrentUser().revokeTokens();
+                    }
                     if (hostedUI != null) {
                         if (signOutOptions.getBrowserPackage() != null) {
                             hostedUI.setBrowserPackage(signOutOptions.getBrowserPackage());