4

I am able to logout and login but there is 1 particular scenario which I am not able to achieve.

Scenario:-

  • User logs in using federated social login (Google), using hosted UI directly.
  • Now the user clicks on logout it directs it to AWS Cognito logout URL
https://xxxxxxx.auth.us-east-2.amazoncognito.com/logout?
response_type=token&client_id=xxxxxxxxx&logout_uri=https://abc/logout.html

it logs out the user success and successfully redirects the user to logout page as mentioned in URL.

  • Now when the user tries to log in again by a different account, he is forced to use his previous google login only.

I want to have such functionality that user can log out and log in again if he wants then he can log in with the same account or with different depend on choice.

The important point to note is I can't use AWS-Amplify or any javascript framework, only plain javascript.

Aditya toke
  • 461
  • 4
  • 14

2 Answers2

5

The reason you are always forced to log in with the same user seems to be that the /logout? endpoint only logs out the user on Cognito, but Cognito does not communicate to Google that it should log you out of your device. Thus, every time you sign back in and the Google Authentication screen is launched Google still remembers the device and sees that you're still logged in. As a result, the redirect URI is triggered without you ever being prompted to choose a new account.

I'm running into the same issues on a React Native project, but have yet to find any evidence that Cognito offers an endpoint to force it to also sign you out of the Identity provider (i.e. Google).

PS: Here's another stackoverflow discussion with more info: AWS Cognito - How to force select account when signing in with Google

One of the responses in that thread mentions calling Google's logout endpoint directly as part of the signout flow. It's definitely not pretty, but since you're using plain Javascript it might be a sufficient solution.

If you find a cleaner solution please make sure to share it, as I'd be interested to hear what you find :)

sc00ter
  • 469
  • 4
  • 2
1

Well, I got it working but I don't think so its an issue but a kind of behaviour that every developer should know who is trying to integrate google login in the there application. Here are the few scenarios I am have checked and their respective behaviour.

My AWS Cognito Login URL

https://xxxxxxx.auth.us-east-2.amazoncognito.com/oauth2/authorize?
identity_provider=Google&redirect_uri=https://xxxxxx/login.html&response_type=TOKEN
&client_id=xxxxxxxxxxxxxxxxx&scope=phone%20email%20openid%20profile

My AWS Cognito Log out URL

https://xxxxxxxxx.auth.us-east-2.amazoncognito.com/logout?
client_id=xxxxxxxxxxxxxxxxxxxx
&logout_uri=https://xxxxxxxxxxxxx/logout.html

By using the above URL when I log out, I don't get logged out from chrome browser.

This behaviour is an issue for many people

So when your chrome browser has only 1 account logged in, at that time AWS Cognito google login won't redirect to a page where you can select the different user, because you have only single user through which it gets logged indirectly.

Found out how we can show multiple logins:- So if you want another user to log in then he needs to first sign in chrome browser, and when he clicks on google login from the website at that time he will be able to select user, as in chrome we have now 2 users logged in google, from where he can select which user want to use for access.

I won't be accepting this as an answer because it's not how everyone want this behaviour, will wait for few days if someone can suggest better way. I think so, for now, we have to go with this.

Aditya toke
  • 461
  • 4
  • 14