What does the Cognito Logout endpoint (/logout) actually do?
The documentation says:
The /logout endpoint signs the user out
and
This example clears the existing session ...
GET https://mydomain.auth.us-east-1.amazoncognito.com/logout?
client_id=ad398u21ijw3s9w3939&
logout_uri=https://myclient/logout
What does this mean? Does the logout endpoint invalidate refresh tokens / id tokens / access tokens for the user sending the request?
I don't think it could because the client_id refers only to App Client ID, not an individual user. It doesn't seem that the endpoint would even know what user the request is associated with.
So what does the /logout endpoint actually do?
- Newest
- Most votes
- Most comments
Log out only invalidates the session.
You can call the global sign out , this signs out users from all devices. It also invalidates all refresh tokens that Amazon Cognito has issued to a user.
https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GlobalSignOut.html
Alternatively : If you want to invalidate the refresh token then the /oauth2/revoke endpoint revokes all of the access tokens that the specified refresh token generated. This is a POST hence this would be a custom signout flow since the log out only supports HTTPS GET
https://docs.aws.amazon.com/cognito/latest/developerguide/revocation-endpoint.html
Relevant content
- asked 2 years ago
- asked 21 days ago
AWS OFFICIALUpdated 6 months ago- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated a year ago
