Cognito logout does not work as documented

sharpthor picture sharpthor · Apr 20, 2018 · Viewed 12.5k times · Source

I have a Cognito user pool configured with a SAML identity provider (ADFS) and I'm able to sign it as a federated user (AD) but sign out does not work.

Following the documentation, I make a GET request to https://my-domain.auth.us-west-2.amazoncognito.com/logout?client_id=63...ng&logout_uri=http:%2F%2Fyahoo.com (using some public logout uri), from my client (an AngularJS 1.x app), and I get back a 302 with a Location header like

https://my-domain.auth.us-west-2.amazoncognito.com/login?client_id=63...ng&logout_uri=http:%2F%2Fyahoo.com  

(In fact there I see 2 requests like the above).

When I log back in (thru ADFS) it does not prompt for my AD credentials, i.e. seems that I'm not logged out.

My user pool is configured as described here (see step 7), where the Enable IdP sign out flow is checked, which is supposed to log the user out from ADFS as well.

Any suggestions? Thanks.

General
-------
Request URL: https://my-domain.auth.us-west-2.amazoncognito.com/logout?client_id=63...ng&logout_uri=http:%2F%2Fyahoo.com  
Request Method: GET  
Status Code: 302  
Remote Address: 54.69.30.36:443  
Referrer Policy: no-referrer-when-downgrade  

Response Headers
----------------
cache-control: private  
content-length: 0  
date: Fri, 20 Apr 2018 21:31:12 GMT  
expires: Thu, 01 Jan 1970 00:00:00 UTC  
location: https://my-domain.auth.us-west-2.amazoncognito.com/login?client_id=63...ng&logout_uri=http:%2F%2Fyahoo.com  
server: Server  
set-cookie: XSRF-TOKEN=...; Path=/; Secure; HttpOnly  
set-cookie: XSRF-TOKEN=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; Secure; HttpOnly  
status: 302  
strict-transport-security: max-age=31536000 ; includeSubDomains  
x-content-type-options: nosniff  
x-frame-options: DENY  
x-xss-protection: 1; mode=block  

Request Headers
---------------
:authority: my-domain.auth.us-west-2.amazoncognito.com  
:method: GET  
:path: /logout?client_id=63...ng&logout_uri=http:%2F%2Fyahoo.com  
:scheme: https
accept: application/json, text/plain, */*  
accept-encoding: gzip, deflate, br  
accept-language: en-US,en;q=0.9  
authorization: Bearer eyJra...  
cache-control: no-cache  
origin: https://localhost:8443  
pragma: no-cache  
referer: https://localhost:8443/logout  
user-agent: Mozilla/5.0...  

Answer

DS. picture DS. · Jul 6, 2018

This redirect happens whenever logout_uri parameter doesn't match exactly what's listed among Sign out URL(s) in AWS Cognito User Pools App client settings configuration.

Cognito allows logout with either logout_uri or with the same arguments as login (i.e. redirect_uri and response_type) to log out and take the user back to the login screen. It seems that whenever logout_uri is invalid, it assume the re-login flow, does this redirect, and then reports an error about missing login arguments.

As for SAML, I don't know, but guessing that it doesn't work because there was actually an error, just not properly reported.