What's the difference between the logout endpoint and the GlobalSignOut API in Amazon Cognito?

3 minute read

I want to understand how to use the logout endpoint and the GlobalSignOut API in Amazon Cognito.

Short description

The Amazon Cognito logout endpoint clears a user session from a browser. The GlobalSignOut API invalidates all the access and refresh tokens that are issued to a specific user.


Sign out users with the logout endpoint

When you use a hosted endpoint for user authentication, Amazon Cognito stores a cookie named "cognito" in your browser. The cookie is associated with the Amazon Cognito domain that's configured with your user pool. The cookie is valid for 1 hour. When a user tries to sign in again during an active session, Amazon Cognito asks the user if they want to continue their existing session. This allows the user to sign in without providing credentials. If a user chooses the Sign in as example_username button to use an existing session, then the cookie's validity resets to 1 hour.

When a user visits the logout endpoint in their browser, Amazon Cognito clears the session cookie. The user must provide their credentials to sign in again.

When a user signs in with third-party identity providers (IdPs), there's an extra step to perform. If a user signs in using one of the third-party IdPs, then visiting the logout endpoint clears the "cognito" cookie from the browser. However, the IdP can still have an active session. Consider the following information when you're clearing out the user's IdP session:

  • Amazon Cognito supports the single logout (SLO) feature for Security Assertion Markup Language version 2.0 (SAML 2.0) IdPs with HTTP POST Binding. If your provider accepts HTTP POST Binding on its SLO endpoint, then consider implementing SLO for SAML IdPs. If a user visits the logout endpoint with SLO turned on, then Amazon Cognito sends a signed logout request to the SAML IdP. Then, the SAML IdP clears the IdP session.
  • For social and OpenID Connect (OIDC) IdPs, you must create a custom workflow to clear the IdP session from the browser.

Sign out users with the GlobalSignOut API

When you use the GlobalSignOut API, Amazon Cognito revokes all the access and refresh tokens that are issued to a user. Note that only Amazon Cognito is informed of the token revocation. Your application might continue to accept the tokens until they expire.

Your application can use both the GlobalSignOut and AdminUserGlobalSignOut APIs to globally sign out users. When your application uses REST APIs for Amazon Cognito user authentication, you must use these APIs to sign out users.

When the application tries to use a revoked token, Amazon Cognito raises an error indicating that you revoked the refresh token. The user must sign in again to get a new set of JSON Web Tokens (JWTs).

You can configure the expiration time for your access and ID tokens in your user pool app client. You can change the expiration time to a value between 5 minutes and 24 hours.

AWS OFFICIALUpdated 2 months ago