amplify-js
amplify-js copied to clipboard
aws-amplify
Ability to use https redirectSignOutUrls when using amplify v6
Is this related to a new or existing framework?
React Native
Is this related to a new or existing API?
Authentication
Is this related to another service?
Cognito
Describe the feature you'd like to request
When using a federated SSO client we need to be able to signout of the upstream provider inside of the webview. TO do this we want to be able to call something like https://upstreamSSOProvider.com/logout?post_logout_redirect_uri=mobile%3A%2F%2F, however https urls are rejected on react native. The upstream logout prodivder will ultimately redirect back to the mobile:// url as the cognito logout would do.
Describe the solution you'd like
The ability to override the invalidRedirectException thrown here, using the provided signout uri
Describe alternatives you've considered
- Stay on v5 where we can use our own webview implementation
- Find a way to use the rtn-browser directly to do this
Additional context
No response
Is this something that you'd be interested in working on?
- [X] 👋 I may be able to implement this feature request
- [ ] ⚠️ This feature might incur a breaking change
Hello, @cranberyxl 👋 and thank you for opening this issue. Can you confirm that you're only seeing this issue when you upgraded to v6, and if you downgrade back to v.5x that the problem goes away?
The problem goes away in v5 only because we can use a custom webview solution like react-native-inappbrowser-reborn and as far as I can tell, the no https restriction was added in v6
@cranberyxl, thank you for the confirmation. I'll mark this as a bug then and review this with the team internally. We'll comment back with updates or further questions as we make progress.
cranberyxl when you configured SSO provider on Amazon Cognito you dont need to go to the sign out endpoint manually, you can configure that directly on Cognito. Have you tried that?
More information on Cognito docs
@elorzafe The nature of our auth setup does not allow for this. We need the ability to use different redirect urls in different scenarios on the react-native experience just like we would be able to do in a web context.
Hey @cranberyxl :wave: what is the use case you're looking to address where the Cognito-initiated IdP signout is not sufficient? Is there a particular solution you have in mind to address this?
@josefaidt Our authentication situation involes an upstream OIDC connection that then provides the SSO experience.
Cognito --OIDC--> Upstream IdP --SAML/OIDC--> IdP providing SSO experience
I have not been able to get the upstream provider to logout without directly calling its logout url as part of the logout redirect, which then properly handles the auth cookies in the browser session.
I don't understand why I can't provide a completely valid https signOut url to the new amplify library when using react native. I'm also very confused as to why there would be an array of signOut urls when only one of them can be redirected to after cognito signs out.
Ah thanks for the clarification @cranberyxl ! The OIDC provider is a great callout, as unfortunately the "single logout (SLO)" feature is only supported for SAML IdP's.
When a user signs in with third-party identity providers (IdPs), there's an extra step to perform. If a user signs in using one of the third-party IdPs, then visiting the logout endpoint clears the "cognito" cookie from the browser. However, the IdP can still have an active session. Consider the following information when you're clearing out the user's IdP session:
- Amazon Cognito supports the single logout (SLO) feature for Security Assertion Markup Language version 2.0 (SAML 2.0) IdPs with HTTP POST Binding. If your provider accepts HTTP POST Binding on its SLO endpoint, then consider implementing SLO for SAML IdPs. If a user visits the logout endpoint with SLO turned on, then Amazon Cognito sends a signed logout request to the SAML IdP. Then, the SAML IdP clears the IdP session.
- For social and OpenID Connect (OIDC) IdPs, you must create a custom workflow to clear the IdP session from the browser.
https://repost.aws/knowledge-center/cognito-logout-endpoint-globalsignoutapi
From the information above this falls into the "custom workflow" callout for OIDC IdP's to initiate the upstream signout.
I don't understand why I can't provide a completely valid https signOut url to the new amplify library when using react native. I'm also very confused as to why there would be an array of signOut urls when only one of them can be redirected to after cognito signs out.
This is a valid callout! We do allow configuring multiple signin/signout redirect URI's, however it is not surfaced to the client API as you've experienced. Although, this would be desirable for custom flows like you have where you're attempting to initiate signout for your upstream OIDC provider.
Let me chat with the team and follow-up with next steps 🙂
Hey @cranberyxl :wave: to provide an update here we'll keep this issue labeled as-is as we work towards a solution to enable this in favor of supporting upstream signout for oidc flows.
