Issue
I am trying to integrate with Cognito with Azure AD as the identity provider. Following the sample code provided, I managed to get the authentication working but the logout don't work. It gives error 405 which is "method not allowed".
Here is my config object.
const config : AuthConfiguration = {
clientId: <client Id for client app in Cognito user pool>
redirectUrl: <redirect url configured in congnito user pool client app config>,
clientSecret: <client secret>, //It seems this is mandatory for Cognito
additionalParameters: {
response_type: 'code', //Didn't work without this
},
serviceConfiguration: {
authorizationEndpoint: 'https://<cognito custom domain name configured>/oauth2/authorize',
tokenEndpoint: 'https://<cognito custom domain name configured>/oauth2/token',
revocationEndpoint: 'https://<cognito custom domain name configured>/logout
}
}
Can we get the example corrected to add additionalParameters.response_type and correct revocationEndpoint?
The endpoint for revocation given in the sample code (/oauth2/revoke) did not work for me - gave http 405. Cognito documentation https://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.html says that the correct endpoint is /logout so I tried that but got the same result.
To isolate the issue, I tried the endpoints from a browser. Here /oauth2/authorize did not work but /login worked and authentication was successful. I followed that with another call to /oauth2/authorize and it redirected me to correct URL without asking to enter credentials indicating that authentication information was in the cookie. At this point I called the /logout endpoint and it worked. When I tried to call /login again it asked me to enter user credentials. This means the cookie information was cleared and/or tokens were revoked i.e. /logout endpoint works as expected.
Based on the test results (HTTP 405) I suspected that react-native-app-auth is sending the revocation request as POST instead of GET. Cognito documentation says that it supports GET only.
Digging into index.js of this component I found that it is actually the case. In fact the revoke() implementation does not call native code but makes a POST call through javascript fetch(). Even if we use GET here, the browser cookie won't be cleared.
For completeness of SSO, I reckon we need following,
- Call native browser component when called revoke()
- Provide parameter to decide whether to use GET or POST
If any of the above cannot be done for a reason, it will be good to know that reason.
Environment
Identity Provider - Azure AD federated through AWS Cognito
Platform: iOS
Not using Expo
Issue
I am trying to integrate with Cognito with Azure AD as the identity provider. Following the sample code provided, I managed to get the authentication working but the logout don't work. It gives error 405 which is "method not allowed".
Here is my config object.
Can we get the example corrected to add additionalParameters.response_type and correct revocationEndpoint?
The endpoint for revocation given in the sample code (/oauth2/revoke) did not work for me - gave http 405. Cognito documentation https://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.html says that the correct endpoint is /logout so I tried that but got the same result.
To isolate the issue, I tried the endpoints from a browser. Here /oauth2/authorize did not work but /login worked and authentication was successful. I followed that with another call to /oauth2/authorize and it redirected me to correct URL without asking to enter credentials indicating that authentication information was in the cookie. At this point I called the /logout endpoint and it worked. When I tried to call /login again it asked me to enter user credentials. This means the cookie information was cleared and/or tokens were revoked i.e. /logout endpoint works as expected.
Based on the test results (HTTP 405) I suspected that react-native-app-auth is sending the revocation request as POST instead of GET. Cognito documentation says that it supports GET only.
Digging into index.js of this component I found that it is actually the case. In fact the revoke() implementation does not call native code but makes a POST call through javascript fetch(). Even if we use GET here, the browser cookie won't be cleared.
For completeness of SSO, I reckon we need following,
If any of the above cannot be done for a reason, it will be good to know that reason.
Environment
Identity Provider - Azure AD federated through AWS Cognito
Platform: iOS
Not using Expo