Cognito Logout endpoint Doesn't return state parameter

3

This breaks Federation as they are expection the state parameter to be returned. the Doc says to use logout_uri which signs my user out but doesn't return the state parameter. This is a problem as the dotnet OIDC Federation expectes this to be reuturned. I'm sure other libs do as well. I was told in another post to use redirect_uri but the probelm is this redriects to your hosted UI which is not what we are using for Auth so this is not an option. can someone fix this issue?

asked a year ago849 views
3 Answers
0

Hello,

I understand that you are unable to receive 'state' parameter when calling the '/logout' endpoint.

There are two ways in which you can use the '/logout' endpoint to logout your users. You can either use 'logout_uri' parameter to redirect your user to a custom sign-out page or you can make use of the 'redirect_uri' parameter to redirect your users to your sign-in page. The behavior of the 'state' parameter is different for these options. Also, this behavior can differ upon using an IdP for federation.

So, this leaves out three different scenarios for us in each of which the usage of 'state' parameter will differ. Let us take a look at each of these.

a) Using 'logout_uri' with or without federation

In such a case, Cognito does not return the 'state' parameter since it is only supported along with 'redirect_uri' and not for 'logout_uri'. Thus, it is not returned when using this option with the request to the '/logout' endpoint.

b) Using 'redirect_uri' without federation

In such a case, the use of 'state' parameter is recommended and when passed along with the 'redirect_uri' parameter, it is returned to your app when your user is redirected. An example of this has been shown in the second example given in this document: [+] https://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.html

c) Using 'redirect_uri' with federation

In this case, Cognito does not parse a custom 'state' parameter to the IdP during federation as Cognito generates its own 'state' parameter to the IdP.

Thus, according to the information provided above, since you are using the 'logout_uri' parameter, the 'state' parameter is not being returned.

If you want to use 'state' with 'logout_uri', as a workaround to your use-case, you can consider the below mentioned suggestions:

  1. Put the state value into the logout URL if it is static. For example when configuring the app client settings and instead of putting logout_uri = "https://www.amazon.com", try putting logout_uri = "https://www.amazon.com?state=123". Then, parse the entire "https://www.amazon.com?state=123" as the logout parameter when calling the /logout endpoint. However with such implementation, the state can only be static and also one app client can only have one state.

  2. An alternative workaround would be to have the application send the logout request to a Lambda function (via API Gateway, for example). The Lambda function would then call the /logout endpoint of Cognito, get the redirect response and append the state parameter back into it, before sending it back to the application.

I would also like to add that there is already a feature request in place for adding the 'state' parameter when redirecting using 'logout_uri'. I encourage you to keep an eye on our What's New page and our Announcements blog, as these are common channels used by AWS to publish the new feature launches. [+] What's New in AWS - https://aws.amazon.com/new/ [+] AWS Blog - https://aws.amazon.com/blogs/aws/tag/announcements/

profile pictureAWS
SUPPORT ENGINEER
answered a year ago
0

We are in case C) and if I pass redirect_uri we get the crappy hosted login page which we can't uses becasue of lack of extensibility we would need way more then just style and lable changes. so we are stuck with logout_uri otpion 1 offers no security as it would be the same state variable for all logouts and thus no way to dirtect XSRF attacks. and 2 seem like something I'm asking cognito to handle. I don't want a work around I want a fix. we have a crappy work around and it make me thow up in my mouth evey time I look at it this can't be that hard just echo back the state paramater when passing the the logout_uri?

answered a year ago
0

We are currently grappling with the same issue described in Scenario C, where the lack of the 'state' parameter return in conjunction with the 'logout_uri' is significantly impeding our implementation of SSO. The first suggested workaround, unfortunately, does not align with our application architecture and requirements as we must be able to pass dynamic values back to the logout page.

Now regarding the second proposed alternative involving the use of a Lambda function to append the 'state' parameter post-logout. This solution is unfeasible, as the logout endpoint is designed to use redirection and must be executed from the correct domain to give Cognito access to the user's cookies. This process cannot be effectively replicated through a Lambda function as we cannot run lambda function on the same domains as Cognito.

Given these limitations, this workaround does not appear to be a viable solution for our needs. Therefore, I am compelled to ask if and when Amazon plans to address this critical issue with a more practical resolution.

In light of this, we urgently need to know if and when Amazon plans to address this issue.

answered 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions