By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AWS Cognitio Logout Bug?

0

I have been working on integrating my web application with AWS Cognito + Google Workspace as my Idp. I was able to successfully authenticate using the Authentication Code Flow with PKCE. However, I hit an unexpected snag: the logout was failing to properly end the session with Google Workspace.

Now, Google [Workspace] does not support the Single Logout (SLO) flow, so it isn't surprising that after redirecting to the /logout endpoint that I was still logged into Google. What was troublesome, however, is that if I first logged out my user from AWS Cognito and then I explicitly went over to Google and logged out and then subsequently returned to my application to login that it would instantly log me in again without requiring validation from Google Workspace!

This is a security hole; if a user logs out of my app and then someone else uses the same computer to login, they would gain instant access to that previous user's account!

Fortunately, after a weekend of debugging, I was able to find a solution. Namely: before redirecting the user to the /logout endpoint, I first invoke the /oauth2/revoke endpoint to revoke the user's access + refresh tokens. Upon doing this, if I repeat the steps described above then the user will be forced to re-authenticate with Google Workspace.

What I can surmise from this is that the /logout endpoint is not properly revoking the user's tokens, as one would reasonably expect. Nor, again, have I found any documentation describing this as expected behavior.

Can someone from AWS please look into this and either update the documentation accordingly and/or fix this security bug? Much appreciated!

Topics
Security, Identity, & ComplianceAWS Well-Architected Framework
Tags
Amazon CognitoSecurity
Language
English
MADEngineer
asked a month ago375 views
1 Answer
0

Thank you for bringing this important issue to our attention. You're correct that silently re-authenticating a user without requiring validation from the identity provider could lead to security vulnerabilities.

A few things to note here:

  1. Google Workspace does not support SAML SLO, so Cognito's /logout endpoint alone cannot fully sign the user out across both systems. [1]
  2. When a user logs out of Cognito, it only clears the session cookie, but ID tokens remain valid until expiration.
  3. Your solution of calling /oauth2/revoke before logout is a good workaround, as it invalidates refresh tokens stored in Cognito.

A few other things:

  1. Consider calling /oauth2/revoke on frontend logout in addition to backend calls.
  2. Set short ID token expiration times (e.g. 5 minutes) to reduce risk window if tokens are stolen.
  3. Add MFA for high-security applications to prevent token reuse even if stolen.
  4. Redirect to identity provider logout page in addition to Cognito logout.

Docs

[1]: SAML sign-out flow

profile pictureAWS
Ibrahim Cesar
answered a month ago
profile picture
EXPERT
Giovanni Lauria
reviewed a month ago
  • MADEngineer
    a month ago

    Thanks Ibrahim. So it sounds like this id token that persists in Cognito is probably the issue; it's avoiding re-authenticating with the Idp on /login because that token persists. Is that a good, secure design decision? Can we perhaps add a configuration option to AWS Cognito to revoke this id token on logout? While my work-around is sufficient for the moment, I'd feel better if there wasn't the possibility for someone to pick-up a user's session after /logout without them having to authenticate.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content