Login/Register
Cognito + Google + React - signout not working using aws amplify
Asked Answered
javascriptreactjsamazon-web-servicesamazon-cognitoaws-amplify
I

3

7

I'm able to signin with google account using aws-amplify library in Reactjs app.

When I logout and try to login again, it doesn't ask me for google username & password. It uses the previous session (somehow) and redirect me back to my react application.

I read different question and applied various solution but none them is working for me.

Solution 1: which doesn't work obviously for google logout.

const logout = () => {

    Auth.signout()
 
}

Solution 2:

const logout = () => {

  const requestOptions = {
        method: "POST",
        'Content-Type': 'application/x-www-form-urlencoded'
  };

  const url = `https://{domain}.amazoncognito.com/logout?client_id=xxx&response_type=code&scope=xxx&redirect_uri=http://xxx/logout`;

  await fetch(url, requestOptions);
}

But for some reason, it thorws CORS issue.

  1. I don't know how and where to resolve CORS issue ? is there anything that I need configure in cognito ?

  2. tried with method: "GET" instead of method: "POST" but same CORS issue.

  3. I don't know if this approach is right or wrong. Let me know if there is some other clear way.

Need to know the right way to logout and destroy user's session. So next time when I try to login, it must ask me to enter google username & password.

Update

Solution 3:

const logout = () => {

       window.location.href = "https://www.google.com/accounts/Logout?continue=https://appengine.google.com/_ah/logout?continue=http://www.example.com"

 }

With above approach, it redirects me to login page of my application but unfortunately when I click on Google Signin button again, it doesn't show google login screen or doesn't ask me to login again. In other words, it keeps the session alive and doesn't logout for google account.

Indecorum answered 9/12, 2022 at 7:55 Comment(4)
Are you combining this solution with API Gateway or S3 ?Biomedicine
No. I don't. It is direct communication between amplify+react and cognito for google (external identity providers) users. For congito users (Not external identify provider users), we have lambda + api gateway.Indecorum
Try to allow the cors in API Gateway, because there are no cors in Cognito, so it seems your issue comes from the API GatewayBiomedicine
I already did it in API gateway but not working. Google flow has nothing to do with lambda or api gateway in my case.Indecorum
D
2

Auth.signout() won't sign you out from Google. So even though you signed out from the application, your Google session is still there.

Have a look at this answer.

When the user try to sign in again, it will redirect you to Google and there is a valid Google session. Which means Google wouldn't ask you to provide credentials again. Therefore, Google will redirect you back to Cognito and then to the application.

That's why you wouldn't see the Google login page again in the first approach. Try this:

  • Sign out from the application
  • In the same browser navigate to gmail and sign out (this will clear the Google session.
  • Try to login to app. Then at this point you will be asked to re-authenticate with Google.

Hope this would helps.

Delmore answered 9/12, 2022 at 18:7 Comment(1)
Thanks for the reference. I tried with google logout as explained in the thread but it still it doesn't work. When I call window.location.href = "https://www.google.com/accounts/Logout?continue=https://appengine.google.com/_ah/logout?continue=http://www.example.com"; it takes me back to my login screen but when I click on google login button again, it doesn't ask to enter google credential. So it is not signing out from google account or it still keeps the session alive.Indecorum
S
2

I believe this is happening because of the cognito oauth token which gets placed in a cookie when you use Social IDP.

Just to clarify, this is how the social idp process works: you site -> cognito oauth -> google oauth

so, technically you're not trying to connect directly with google but with cognito which will forward the request to google.

The issue is, that when the process is successful it will also place a cookie on you site, called cognito.

Now, when you're trying to logout via Auth.signout() it will clear the user session from your site and invalidate the tokens but that cookie will not be cleared or invalidated.

In order to fix this, when the user tries to logout, you should redirect the browser to the cognito oauth logout page https://<domain>.amazoncognito.com/logout?.... ref: https://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.html

and as logout_uri you should have a page on you're site which will call Auth.signout() in order to clear the user session.

So the process looks like this:

user click logout button => redirect to amazoncognito /logout => redirects back to <your site>/logout => call Auth.signout()

Signboard answered 18/12, 2022 at 10:5 Comment(1)
google sign out works fine except on incognito modeMoluccas
S
0

I suspect this has to do with the cookie set in the hosted UI that is brokering your requests. Let's walk through the steps here:

  1. Your app redirects to the hosted UI with identity_provider param set to google.
  2. Hosted UI redirects to google.
  3. User grants access and google redirects back to hosted UI
  4. Hosted UI completes the code grant, sets a session cookie with a validity of 1 hour and redirects back to your app.
  5. Your app completes the code grant.

So far so good, you're still in cognitos happy place.

Then you go to log out. This should be a matter of deleting your access token and submitting the refresh token to cognito's revoke endpoint. All is good, your app no longer has access.

However, if your app reinitiates authorization (step 1), what cognito does in response is check for an active session cookie and if it is found skips the upstream authorization to google.

Meaning if a user signs out within an hour of signing in they won't be prompted for authorization from google (steps 2 and 3).

That session validity period is not configurable so there is no way to change this behavior.

Strick answered 18/12, 2022 at 14:21 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.