Cognito + Google + React - signout not working using aws amplify
Question
I'm able to signin with google account using aws-amplify library in Reactjs app.
When I logout and try to login again, it doesn't ask me for google username & password. It uses the previous session (somehow) and redirect me back to my react application.
I read different question and applied various solution but none them is working for me.
Solution 1: which doesn't work obviously for google logout.
const logout = () => {
Auth.signout()
}
Solution 2:
const logout = () => {
const requestOptions = {
method: "POST",
'Content-Type': 'application/x-www-form-urlencoded'
};
const url = `https://{domain}.amazoncognito.com/logout?client_id=xxx&response_type=code&scope=xxx&redirect_uri=http://xxx/logout`;
await fetch(url, requestOptions);
}
But for some reason, it thorws CORS issue.
I don't know how and where to resolve CORS issue? is there anything that I need configure in cognito?
tried with
method: "GET"instead ofmethod: "POST"but same CORS issue.I don't know if this approach is right or wrong. Let me know if there is some other clear way.
Need to know the right way to logout and destroy user's session. So next time when I try to login, it must ask me to enter google username & password.
Update
Solution 3:
const logout = () => {
window.location.href = "https://www.google.com/accounts/Logout?continue=https://appengine.google.com/_ah/logout?continue=http://www.example.com"
}
With above approach, it redirects me to login page of my application but unfortunately when I click on Google Signin button again, it doesn't show google login screen or doesn't ask me to login again. In other words, it keeps the session alive and doesn't logout for google account.
3 answers
solution1
0 2022-12-09 18:07:57
Auth.signout() won't sign you out from Google. So even though you signed out from the application, your Google session is still there.
Have a look at this answer.
When the user try to sign in again, it will redirect you to Google and there is a valid Google session. Which means Google wouldn't ask you to provide credentials again. Therefore, Google will redirect you back to Cognito and then to the application.
That's why you wouldn't see the Google login page again in the first approach. Try this:
- Sign out from the application
- In the same browser navigate to gmail and sign out (this will clear the Google session.
- Try to login to app. Then at this point you will be asked to re-authenticate with Google.
Hope this would helps.
solution2
0 2022-12-18 10:05:34
I believe this is happening because of the cognito oauth token which gets placed in a cookie when you use Social IDP.
Just to clarify, this is how the social idp process works: you site -> cognito oauth -> google oauth
so, technically you're not trying to connect directly with google but with cognito which will forward the request to google.
The issue is, that when the process is successful it will also place a cookie on you site, called cognito .
Now, when you're trying to logout via Auth.signout() it will clear the user session from your site and invalidate the tokens but that cookie will not be cleared or invalidated.
In order to fix this, when the user tries to logout, you should redirect the browser to the cognito oauth logout page https://<domain>.amazoncognito.com/logout?.... ref: https://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.html
and as logout_uri you should have a page on you're site which will call Auth.signout() in order to clear the user session.
So the process looks like this:
user click logout button => redirect to amazoncognito /logout => redirects back to <your site>/logout => call Auth.signout()
solution3
0 2022-12-18 14:21:27
I suspect this has to do with the cookie set in the hosted UI that is brokering your requests. Let's walk through the steps here:
- Your app redirects to the hosted UI with identity_provider param set to google.
- Hosted UI redirects to google.
- User grants access and google redirects back to hosted UI
- Hosted UI completes the code grant, sets a session cookie with a validity of 1 hour and redirects back to your app.
- Your app completes the code grant.
So far so good, you're still in cognitos happy place.
Then you go to log out. This should be a matter of deleting your access token and submitting the refresh token to cognito's revoke endpoint . All is good, your app no longer has access.
However, if your app reinitiates authorization (step 1), what cognito does in response is check for an active session cookie and if it is found skips the upstream authorization to google.
Meaning if a user signs out within an hour of signing in they won't be prompted for authorization from google (steps 2 and 3).
That session validity period is not configurable so there is no way to change this behavior.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.