I’m able to signin with google account using aws-amplify library in Reactjs app.
When I logout and try to login again, it doesn’t ask me for google username & password. It uses the previous session (somehow) and redirect me back to my react application.
I read different question and applied various solution but none them is working for me.
Solution 1: which doesn’t work obviously for google logout.
const logout = () => {
Auth.signout()
}
Solution 2:
const logout = () => {
const requestOptions = {
method: "POST",
'Content-Type': 'application/x-www-form-urlencoded'
};
const url = `https://{domain}.amazoncognito.com/logout?client_id=xxx&response_type=code&scope=xxx&redirect_uri=http://xxx/logout`;
await fetch(url, requestOptions);
}
But for some reason, it thorws CORS issue.
-
I don’t know how and where to resolve CORS issue ? is there anything that I need configure in cognito ?
-
tried with
method: "GET"
instead ofmethod: "POST"
but same CORS issue. -
I don’t know if this approach is right or wrong. Let me know if there is some other clear way.
Need to know the right way to logout and destroy user’s session. So next time when I try to login, it must ask me to enter google username & password.
Update
Solution 3:
const logout = () => {
window.location.href = "https://www.google.com/accounts/Logout?continue=https://appengine.google.com/_ah/logout?continue=http://www.example.com"
}
With above approach, it redirects me to login page of my application but unfortunately when I click on Google Signin
button again, it doesn’t show google login screen or doesn’t ask me to login again. In other words, it keeps the session alive and doesn’t logout for google account.
3
Answers
Auth.signout()
won’t sign you out from Google. So even though you signed out from the application, your Google session is still there.Have a look at this answer.
When the user try to sign in again, it will redirect you to Google and there is a valid Google session. Which means Google wouldn’t ask you to provide credentials again. Therefore, Google will redirect you back to Cognito and then to the application.
That’s why you wouldn’t see the Google login page again in the first approach.
Try this:
Hope this would helps.
I believe this is happening because of the
cognito
oauth token which gets placed in a cookie when you use Social IDP.Just to clarify, this is how the social idp process works:
you site -> cognito oauth -> google oauth
so, technically you’re not trying to connect directly with google but with cognito which will forward the request to google.
The issue is, that when the process is successful it will also place a cookie on you site, called
cognito
.Now, when you’re trying to logout via
Auth.signout()
it will clear the user session from your site and invalidate the tokens but that cookie will not be cleared or invalidated.In order to fix this, when the user tries to logout, you should redirect the browser to the cognito oauth logout page
https://<domain>.amazoncognito.com/logout?....
ref: https://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.htmland as
logout_uri
you should have a page on you’re site which will callAuth.signout()
in order to clear the user session.So the process looks like this:
user click logout button => redirect to amazoncognito /logout => redirects back to <your site>/logout => call Auth.signout()
I suspect this has to do with the cookie set in the hosted UI that is brokering your requests. Let’s walk through the steps here:
So far so good, you’re still in cognitos happy place.
Then you go to log out. This should be a matter of deleting your access token and submitting the refresh token to cognito’s revoke endpoint. All is good, your app no longer has access.
However, if your app reinitiates authorization (step 1), what cognito does in response is check for an active session cookie and if it is found skips the upstream authorization to google.
Meaning if a user signs out within an hour of signing in they won’t be prompted for authorization from google (steps 2 and 3).
That session validity period is not configurable so there is no way to change this behavior.