Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
OIDC Logout for AWS Cognito
See original GitHub issueType: Feature
Is your feature request related to a problem? Please describe.
AWS Cognito doesn’t implement the OpenID Connect RP-Initiated Logout specification (in draft) yet. When using AWS Cognito together with Spring Security for OAuth 2.0 Login (aka. OIDC) every user will still be logged in at the identity provider when they logout at the Spring backend. Spring Security already provides a OidcClientInitiatedLogoutSuccessHandler to logout the end-user also at the identity provider (technically an additional HTTP call to the identity provider when the user decided to logout), but as AWS Cogntio doesn’t implement the spec, it’s of little help.
For Stratospheric we implemented our own SimpleUrlLogoutSuccessHandler to achieve the full logout. Our (naive) solution looks like the following:
public class CognitoOidcLogoutSuccessHandler extends SimpleUrlLogoutSuccessHandler {
private final String logoutUrl;
private final String clientId;
public CognitoOidcLogoutSuccessHandler(String logoutUrl, String clientId) {
this.logoutUrl = logoutUrl;
this.clientId = clientId;
}
@Override
protected String determineTargetUrl(HttpServletRequest request, HttpServletResponse response,
Authentication authentication) {
UriComponents baseUrl = UriComponentsBuilder
.fromHttpUrl(UrlUtils.buildFullRequestUrl(request))
.replacePath(request.getContextPath())
.replaceQuery(null)
.fragment(null)
.build();
return UriComponentsBuilder
.fromUri(URI.create(logoutUrl))
.queryParam("client_id", clientId)
.queryParam("logout_uri", baseUrl)
.encode(StandardCharsets.UTF_8)
.build()
.toUriString();
}
}
Describe the solution you’d like
For Spring Cloud AWS + Spring Security + AWS Cognito setup, end-users should be fully logged-out when they log out from the application (invalid Spring Session) and at the identity provider.
Describe alternatives you’ve considered
Some use cases might not favor a fully-loggout for e.g. SSO with other applications. Hence the fully logout should be an opt-in and not applied automatically.
Additional context
I’ve already blogged about a possible Spring Security and AWS Cognito OIDC logout to demonstrate a possible solution.
I’m looking forward to provide a PR with a possible solution in case you think it makes sense to add this feature.
Issue Analytics
- State:
- Created 2 years ago
- Comments:9 (6 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
thanks for getting back to this issue 🙏 Yes, I’d like to contribute to this.
As far as I understand - to get basic Cognito auth we do not anything custom as it has been already covered by Spring Boot and Spring Security. For the purpose of implementing OIDC Logout we need
CognitoPropertiesand perhaps a separate module for Cognito? @eddumelendez your opinion will be appreciated.