By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Cognito Sometimes Does Not Redirect to Federated Logout (SSO)

0

I have configured my AWS Cognito User Pool to use federated authentication (via Azure AD) and to use the Single Sign Out flow. Most of the time this works fine. However, I have noticed that if I wait an hour after logging in - just letting the browser session remain stagnant - and then I click the logout button, when the logout request reaches Cognito the logout request is simply redirected back to my logout callback uri. It does NOT redirect to the federated logout uri first. The result of which is that the user hasn't truly been logged out - and if I subsequently try to login it will simply resume the previous session without the user having to re-enter their credentials! Yikes!

Incidentally, my access tokens are configured to expire after an hour, and my refresh tokens after 12 hours.

NOTE: I am not using Amplify, but simply redirecting to #{tenant.aws_user_pool_domain}/logout?#{URI.encode_www_form(args)} where the args includes the logout_uri and client_id (I really wish we could pass in state here too....). I also invoke the revoke endpoint to revoke the user's refresh token (but that doesn't help logout of Azure AD).

This is a very concerning security hole, please fix.

Topics
Security, Identity, & ComplianceAWS Well-Architected Framework
Tags
Amazon CognitoSecurity
Language
English
MADEngineer
asked a month ago115 views
2 Answers
0

Troubleshooting Steps

  1. Check the Logout URL Configuration in Cognito: Ensure that your Cognito User Pool logout URL is configured correctly. It should first redirect to the Azure AD logout URL and then to the Cognito logout callback URL. The logout flow should look like this: Cognito -> Azure AD logout -> Cognito logout callback.

  2. Clear Session/Cookies in Browser: After the session expires or after an hour of inactivity, try clearing cookies or local storage in your browser to see if that resolves the issue. The stale session could be causing a mismatch.

  3. Ensure Tokens Are Properly Invalidated: When the user logs out, ensure you’re revoking the access token and refresh token via the revoke endpoint (/logout?token=<access_token>). However, just revoking the tokens won’t log the user out of Azure AD unless the federated logout step is completed.

  4. Update the Logout Flow: You might need to explicitly redirect the user to Azure AD’s federated logout endpoint by constructing the logout URL properly with the correct client ID and redirect URI: https://login.microsoftonline.com/{tenant}/oauth2/v2.0/logoutpost_logout_redirect_uri={callback_uri}

  5. Check Expiry Timing and Synchronize with Session: It’s possible that the session in Azure AD isn’t expiring in sync with your Cognito session. Verify that the expiry times for tokens and the browser session are aligned. You may also need to handle refresh token expiration correctly.

  6. Manual Redirection for Federated Logout: You can manually handle the redirection by implementing a custom logout process where you first redirect to the Azure AD logout endpoint before going to the Cognito logout endpoint. You can do this by invoking something like: https://login.microsoftonline.com/{tenant}/oauth2/v2.0/logout?post_logout_redirect_uri={callback_uri}

Example of Full Federated Logout URL:

  1. Redirect to Azure AD logout first: https://login.microsoftonline.com/{tenant}/oauth2/v2.0/logout?post_logout_redirect_uri={Cognito_logout_callback_uri}
  2. After Azure AD logout completes, Cognito will redirect back to your logout callback URL, where you can finalize the session termination on the Cognito side.
profile picture
marcelops
answered 12 days ago
-1

The behavior you're experiencing with AWS Cognito's federated logout functionality is indeed concerning and appears to be related to session management and token handling. This issue can potentially create a security vulnerability, as you've correctly identified.

The problem likely stems from how Cognito handles session expiration and token revocation. When a user remains inactive for an extended period (in your case, about an hour), it seems that Cognito may not be properly invalidating the session or revoking the tokens upon logout request.

To mitigate this issue, you can implement a few strategies:

  1. Before redirecting to the Cognito logout endpoint, first call the /oauth2/revoke endpoint to explicitly revoke the user's access and refresh tokens. This step helps ensure that the tokens are invalidated on the server-side, even if the session appears to have expired.

  2. Consider setting shorter expiration times for ID tokens (e.g., 5 minutes) in your Cognito User Pool settings. This reduces the risk window if tokens are compromised or not properly invalidated.

  3. Implement additional client-side logout logic in your application to clear any local storage or state that contains user information.

  4. After the Cognito logout process, you may want to redirect users to the Azure AD logout page as well, to ensure they're fully signed out of their federated account.

  5. If possible, implement a periodic token refresh mechanism in your application to keep the session active and prevent the scenario where the session becomes stale after an hour of inactivity.

It's important to note that while these steps can help mitigate the issue, they may not completely resolve it in all scenarios due to the complexities of federated authentication and session management across different services.

This behavior should be reported to AWS support for further investigation and potential fixes on their end, as it appears to be an inconsistency in how Cognito handles session expiration and logout requests for federated users.
Sources
AWS Cognito Logout does not work on Safari for Google | AWS re:Post
AWS Cognitio Logout Bug? | AWS re:Post

profile picture
re:Post Agent
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content