I am working on integrating AWS Cognito with my front-end web application, using Google Workspace as the SAML Idp. I'm using the Authentication Code Flow with PKCE, and I am able to successfully authenticate and retrieve my id + access + refresh tokens.
The problem I am running into is that when I hit the <user-pool-domain>/logout
endpoint (with client_id
and logout_uri
), the logout flow appears to succeed and redirects to my logout callback. However, if I then try to login again - it bypasses Google Workspace and immediately authenticates successfully. So for whatever reason, the logout flow is not correctly ending the user's session with Google Workspace...
If I try <user-pool-domain>/saml2/logout
(again passing in client_id
and logout_uri
as url parameters) then I get an error page that just says "An error was encountered with the requested page"
I have enabled the Signout flow
under the Idp configuration in Cognito.
Am I missing additional configuration? Any ideas how to debug this?
After spending the weekend working on this, I've found an acceptable solution:
/oauth2/revoke
(see https://docs.aws.amazon.com/cognito/latest/developerguide/revocation-endpoint.html)/logout
(see https://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.html)While this won't log the user out of Google (since Google does not support the SAML2 Single Logout flow...) it will properly end AWS Cognito's session with Google such that if you then logout of Google and then attempt to login again by redirecting to the AWS Cognito /login
endpoint, the user will be forced to re-authenticate with Google!
Why AWS Cognito doesn't already revoke the user's tokens upon invoking the standard /logout
endpoint I don't know... Seems like a bug on AWS' side... Should probably be documented somewhere if this is expected behavior.