By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Cognito logout endpoint doesn't support options, so how can CORS preflight work?

0

Hi,

I am having issues getting my spring security OAuth Client test project to logout a user from Cognito.

Background Information: I have a Java Spring test project set up to get familiar with Authentication using OAuth / OIDC with Cognito. It is based on this tutorial: https://spring.io/guides/tutorials/spring-boot-oauth2/ I have a Cognito User Pool set up with appropriate API Client settings for "Authorization code grant" flow. This works very well except I wanted to logout from Cognito as well as Spring session, as I want to be able to login as another user. So I then added a LogoutSuccessHandler to my spring config to cause a redirect to the Cognito logout end point. It was done as shown here: https://rieckpil.de/oidc-logout-with-aws-cognito-and-spring-security/ Apparently this has worked for some people.

The problem: It largely works. My Spring session is invalidated, and logout returns a redirect to the browser to Cognito Logout endpoint along with what I believe to be the correct parameters. However the browser (same for Firefox and Chrome) then makes a preflight Cors call to the Cognito logout end point and this will result in a 404 as "OPTIONS" is not supported on the end point.

Example:

  1. Request to my application to logout: URL GET to http://localhost:8080/logout With session cookie etc

  2. My test service response Redirect to: Location: https://cortexo.auth.eu-west-2.amazoncognito.com/logout?client_id=<ClientId>&logout_uri=http://localhost:8080 Relevant response headers (yes they are very stupidly open for testing): Access-Control-Allow-Headers: Content-type,responseType Access-Control-Allow-Methods: GET,POST,PUT,DELETE,OPTIONS Access-Control-Allow-Origin: * Access-Control-Max-Age: 3600

If I manually browse to this redirected URL (copy and paste into browser bar) then Cognito will logout and redirect back to my project as expected.

However the browser when following the redirect, first attempts to do a Cors preflight check to the URL by calling with an OPTIONS call. This results in a browser reported error: "Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource." I believe the reason for this is that if you do an OPTIONS call to the Logout end point it will result in a 404 (not found) error and the end point documentation confirms that only GET is supported.

The questions are:

  1. I'm curious as to why the tutorial for Spring OAuth logout has worked for some others
  2. Is this approach the right one? Am I missing something?
  3. Any suggestions on how I can I work around this (still using Spring Security OAuth Client, as Spring Security is what we are using in our real projects)?

Thanks

Topics
Security, Identity, & ComplianceAWS Well-Architected Framework
Tags
Amazon CognitoSecurity
Language
English
rePost-User-2192206
asked 2 years ago1797 views
1 Answer
0

Hello,

I understand that you have some queries regarding CORS with Cognito OAuth endpoint.

Firstly, in regards to logout behavior with Cognito, your understanding is correct that the /logout endpoint signs the user out and redirects either to an sign-out URL for your app client, or redirect back to the /login endpoint itself.

Secondly, the /logout endpoint only supports HTTPS GET as mentioned on our AWS Doc [1].

Thirdly, please note that Cognito Authorization endpoint(s) does not adhere to CORS requirements and hence does not include CORS headers. By design of the system, the error like (Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.) is expected if an attempt is made to perform CORS/AJAX calls to any hosted UI endpoint other than ‘/oauth2/token’ or ‘/oauth2/userInfo’ endpoints. It is designed to be navigated to directly in the browser. In addition, the endpoint only supports the GET method and does not support the OPTIONS method. However, we currently have a feature request with the service team to add CORS support to the endpoint. Please note that we here in Premium Support do not have access to Cognito service teams' development roadmap/release plan, so I would not be able to provide you with an ETA for feature release. However, I encourage you to keep an eye on our What's New page and our Announcements blog, as these are common channels used by AWS to publish the new feature launches.

[+] What's New in AWS - https://aws.amazon.com/new/ [+] AWS Blog - https://aws.amazon.com/blogs/aws/tag/announcements/

Now in regards to your queries -

a. "I'm curious as to why the tutorial for Spring OAuth logout has worked for some others"

  • Currently the tutorials that have been referred are external pages for which AWS cannot vouch for, hence I would request reaching out to their support directly to confirm upon what configurations were made.
  • On best effort basis, I can mention that in such custom/developement related queries, these are best answered by reaching out to our Cognito Developer team directly on Github to confirm upon any alternate solutions or workarounds - https://github.com/aws-amplify/amplify-js/tree/master/packages/amazon-cognito-identity-js

b. "Is this approach the right one? Am I missing something?"

  • In case of single logging out functionality, say for example if it was a SAML IdP federation used with Cognito Userpool, the way single log out functionality works is in the following manner -
1. User makes a HTTP GET request to Cognito Logout endpoint.
2. Cognito clears user session from browser and redirects to integrated SAML IdP Logout endpoint
3. User session is invalidated for IdP as per IdP logout logic.
4. SAML IdP sends a HTTP POST request to Cognito endpoint with Logout response on https://<yourDomainPrefix>.auth.<region>.amazoncognito.com/saml2/logout
5. User is redirected to Sign out URL configured for Cognito app client.

Please note that such a IdP Sign out flow already exists natively for SAML IdPs with Cognito. Unfortunately, however Cognito currently does not support the single logout feature for Openid Identity Providers (as it does for SAML). Please note that when we call the Cognito logout endpoint only the Cognito session is cleared and it does not clear the OIDC IDP's session.

We do have an open feature request for OIDC providers to have the choice for Cognito to handle the LOGOUT endpoint as well.

So in such cases where the single log out functionality isn't present the following are the methods one can follow -

APPROACH 1:
You want to logout the user from application, from hosted UI and from 3rd party Idp as well. Then you want to show the hosted UI login screen after logout process.
1) From the application, make a request to logout endpoint of the your application. On that endpoint, implement a logic to remove/invalidate the cookies for the application.
2) Once the cookies are invalidated/removed, make a request to logout endpoint of the IDP. This should remove the session for the IDP.
3) Once a successful response is returned from the logout endpoint, respond with a 302 redirect to "logout" endpoint of your Hosted UI as below. This example clears out the existing session and shows the login screen, using the same parameters as for GET /oauth2/authorize.

GET https://mydomain.auth.us-east-1.amazoncognito.com/logout?
response_type=code&
client_id=<client-id>
redirect_uri=https://YOUR_APP/redirect_uri&
state=STATE&
scope=openid+profile+aws.cognito.signin.user.admin

APPROACH 2:
You want to logout the user from application, from hosted UI and from 3rd party Idp as well. Then you want to show your desired view of the application after logout.
1) Make a request to "logout" endpoint of the Hosted UI as below. This will clear the cookies from hosted UI and return a response with a 302 redirect to the logout uri of your application.

GET https://mydomain.auth.us-east-1.amazoncognito.com/logout?
client_id=<client-id>
logout_uri=https://YOUR_APP.com/logout

2) On the logout endpoint of the application, make a request to logout endpoint of the Idp to remove the session.
3) Once successful response is returned, remove the cookies stored in the browser for the application.
4) Once that is done then redirect to the desired view (which normally is the home page of the application).

c. Any suggestions on how I can I work around this (still using Spring Security OAuth Client, as Spring Security is what we are using in our real projects)?

  • As mentioned before, any recommendation/development/architectural queries go out of scope for the Premium Support team as we are only expertised in troubleshooting of break fixes and errors with the AWS service when customers run into errors during implementation phase. In cases of finding a viable solution for considering scalability, security and limitations, reaching out to the Dev team or Solution Architects can help in assessing the viability and building of the solution as per your requirements.

Any code support or custom solution/application development queries are best answered by the Cognito developer team who you can reach out using Github.

https://github.com/amazon-archives/amazon-cognito-identity-js

Note: Developer have discontinued developing the above library as part of this GitHub repository. They will continue to develop it as part of the AWS Amplify GitHub repository. You can still reach them by creating an issue on the AWS Amplify GitHub repository or posting to the Amazon Cognito Identity forums.

https://github.com/aws-amplify/amplify-js/tree/master/packages/amazon-cognito-identity-js

or

We also have the dedicated AWS Solutions Architect team which addresses the architecture and design level queries for custom solutions. I would suggest you reach out directly to our Sales team as they can help you to get in touch with our Solutions Architect (SA) team.

You can request for a member of the sales (Business Development) team to contact you using any of the following methods:

>> Via form:    	http://aws.amazon.com/contact-us/aws-sales/
>> Via Live Chat:   https://pages.awscloud.com/live-chat-contact-us.html
>> Phone support:   +1 (833) 662-9873 - 6:30am - 4:00pm (Pacific) Monday - Friday.

I hope the above shared information is insightful to your query. As always, please feel free to reach back with any further questions or concerns!

References:

[1]https://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.htmlhttps://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.html

profile pictureAWS
SUPPORT ENGINEER
Yash_C
answered 2 years ago
  • rePost-User-2192206
    2 years ago

    Thanks for the prompt answer, I appreciate it. I will reach out to our AWS account manager regarding roadmap timeframe for adding cors support to IDP logout endpoint. In the meantime I will give your approach 2 a try, as that probably fits better with how we intend to deploy the application (one of customers has their own apps and so we don't want a hosted logout page). Thanks again.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content