Skip to content

Revoke doesn't work with Cognito #642

Description

@sanjaymogarkarecc

Issue

I am trying to integrate with Cognito with Azure AD as the identity provider. Following the sample code provided, I managed to get the authentication working but the logout don't work. It gives error 405 which is "method not allowed".

Here is my config object.

const config : AuthConfiguration = {
    clientId: <client Id for client app in Cognito user pool>
    redirectUrl: <redirect url configured in congnito user pool client app config>,
    clientSecret: <client secret>, //It seems this is mandatory for Cognito
    additionalParameters: {
        response_type: 'code', //Didn't work without this
    },
    serviceConfiguration: {
        authorizationEndpoint: 'https://<cognito custom domain name configured>/oauth2/authorize',
        tokenEndpoint: 'https://<cognito custom domain name configured>/oauth2/token',
        revocationEndpoint: 'https://<cognito custom domain name configured>/logout       
    }
}

Can we get the example corrected to add additionalParameters.response_type and correct revocationEndpoint?

The endpoint for revocation given in the sample code (/oauth2/revoke) did not work for me - gave http 405. Cognito documentation https://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.html says that the correct endpoint is /logout so I tried that but got the same result.

To isolate the issue, I tried the endpoints from a browser. Here /oauth2/authorize did not work but /login worked and authentication was successful. I followed that with another call to /oauth2/authorize and it redirected me to correct URL without asking to enter credentials indicating that authentication information was in the cookie. At this point I called the /logout endpoint and it worked. When I tried to call /login again it asked me to enter user credentials. This means the cookie information was cleared and/or tokens were revoked i.e. /logout endpoint works as expected.

Based on the test results (HTTP 405) I suspected that react-native-app-auth is sending the revocation request as POST instead of GET. Cognito documentation says that it supports GET only.

Digging into index.js of this component I found that it is actually the case. In fact the revoke() implementation does not call native code but makes a POST call through javascript fetch(). Even if we use GET here, the browser cookie won't be cleared.

For completeness of SSO, I reckon we need following,

  1. Call native browser component when called revoke()
  2. Provide parameter to decide whether to use GET or POST

If any of the above cannot be done for a reason, it will be good to know that reason.


Environment

Identity Provider - Azure AD federated through AWS Cognito
Platform: iOS
Not using Expo

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions