IdP logout functionality not working as expected

I have been able to connect to AWS Cognito IdP and perform logins correctly. But when I log out of a perspective session using the Logout onClick Event Action, I am taken back to the perspective “Continue to Log In” screen. Upon clicking, it auto-logs in…without asking for credentials. I suspect something is not working correctly between Ignition and the IdP because further changes to the IdP configuration such as the Logout URL causes strange behavior on the Cognito side (such as indicating that the redirect_url, response_type and client_id parameters are missing). This might be a Cognito issue and its lack of proper documentation because the Logout API doesn’t require those particular parameters.
Has anyone experienced this? Did you end up picking a different IdP (because I’m getting to that point)? How are people logging out and ensuring you have to log in again with credentials?

Ignition implements the OpenID Connect RP-Initiated Logout spec. Does your AWS Cognito IdP’s Discovery Endpoint (the one with URL path that should end in /.well-known/openid-configuration) return a JSON object with a end_session_endpoint URL entry? Is this same URL used as the “Logout URL” in the IdP settings on the Ignition side?

Have you opened your web browser’s dev tools and followed the redirects in the Network tab to ensure logging out of Ignition redirects you to the IdP’s logout URL for logging out over there? We just fixed a bug in 8.1.3 where sometimes the logout redirects to the OIDC IdP would be cancelled prematurely from Perspective. Maybe you’re running into this? You’d see the cancelled requests in the aforementioned Network tab of your browser’s dev tools.

Unfortunately AWS Cognito does not return an end_session_endpoint. Also, I am on 8.1.2 so maybe the bug existed then too. You are correct that in the DevTools under Network…when I log out I do not see Ignition forwarding me to the Logout URL when I do not have “Always ask the IdP to re-authenticate…”
But if I turn this on, then I do get forwarded to the logout URL and subsequent login URL.
image
image
However, therein lies another problem. When I log back in again, Ignition does not log me in to the app again, I am presented with the “You must log in to continue” Login prompt. When I press continue, it logs in to the app. It’s as if the sequence of events are swapped.

For reference, this is what I put in the Logout URL under the Ignition IdP settings. I had to add everything after the “?” myself because I would get errors from Cognito (even though those aren’t the proper parameters for the logout endpoint according to documentation).
https://customdomain.auth.us-somewhere-1.amazoncognito.com/logout?client_id=XXXXX&response_type=code&redirect_uri=http://localhost:8088/data/federate/callback/oidc

This is what the well-known configuration returned

{"authorization_endpoint":"https://customdomain.auth.us-somewhere-1.amazoncognito.com/oauth2/authorize" ,"id_token_signing_alg_values_supported":["RS256"] ,"issuer":"https://cognito-idp.us-somewhere-1.amazonaws.com/XXXXXXXX" ,"jwks_uri":"https://cognito-idp.us-somewhere-1.amazonaws.com/XXXXXXXX/.well-known/jwks.json" ,"response_types_supported":["code","token"] ,"scopes_supported":["openid","email","phone","profile"] ,"subject_types_supported":["public"] ,"token_endpoint":"https://customdomain.auth.us-somewhere-1.amazoncognito.com/oauth2/token" ,"token_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post"] ,"userinfo_endpoint":"https://customdomain.auth.us-somehwere-1.amazoncognito.com/oauth2/userInfo"}

If that’s the case, then Ignition will be unable to log the user out of their IdP session.

I’m no AWS Cognito expert, but a quick glance at their docs and some basic google searching has led me to believe that they do not support RP-initiated logout. They do have logout endpoints which do not comply with the OIDC spec. In theory, you could build your own web app which adapts the standard RP-initated logout URL format with which Ignition complies to the non-standard logout URL format that AWS cognito expects. This web app would have to be able to handle the redirect back from Cognito and adapt the redirect back to the Ignition callback URL. This “web app” could be built using the web dev module in theory… But that’s a lot of work, you might also want to explore other IdPs if that is an option…

Joel, I got it working. Thanks for the help. There were a few things I found out during this process:

  1. Cognito expects 2 parameters in the logout endpoint. client_id and logout_url, which Ignition does not send…perhaps because it is not in the OpenID spec.
  2. Cognito returns back erroneous errors when logout_url is not specified and assumes you want to perform a redirect…so expects a different set of parameters.
  3. The Ignition Logout URL code had to have “exact” casing as the Cognito Sign out URL. Because Perspective uses the project name in the URL as it is typed, I had only entered the lower cased version in the Sign Out URLs on Cognito.

This thread explains it a bit better

Oh I see, so you are hard-coding the client_id and logout_url query params in the logout URL and the logout_url param points to one of your projects in Perspective? Ignition will still encode some extra query params as per the OIDC spec onto the configured logout URL but AWS cognito is clearly tolerant of those extra params, and luckily they do not clash with the ones they expect. I could see how that might work. Glad you figured something out.

Correct. Leaving Logout URL blank (as it is by default) caused an error of missing parameters, so I started hard-coding what it wanted one by one.

I was also able to implement boto3 site-package into Ignition so now I have ability to perform CRUD operations on users and groups via Ignition. It would be nice if this could somehow be incorporated into an IdP/Database Hybrid approach or at least give the Ignition Usersource the ability to send commands to Cognito as opposed to Active Directory’s LDAP protocol.