OIDC Logout for AWS Cognito

[rieckpil]

Type: Feature

Is your feature request related to a problem? Please describe.

AWS Cognito doesn't implement the OpenID Connect RP-Initiated Logout specification (in draft) yet. When using AWS Cognito together with Spring Security for OAuth 2.0 Login (aka. OIDC) every user will still be logged in at the identity provider when they logout at the Spring backend. Spring Security already provides a OidcClientInitiatedLogoutSuccessHandler to logout the end-user also at the identity provider (technically an additional HTTP call to the identity provider when the user decided to logout), but as AWS Cogntio doesn't implement the spec, it's of little help.

For Stratospheric we implemented our own SimpleUrlLogoutSuccessHandler to achieve the full logout. Our (naive) solution looks like the following:

public class CognitoOidcLogoutSuccessHandler extends SimpleUrlLogoutSuccessHandler {

  private final String logoutUrl;
  private final String clientId;

  public CognitoOidcLogoutSuccessHandler(String logoutUrl, String clientId) {
    this.logoutUrl = logoutUrl;
    this.clientId = clientId;
  }

  @Override
  protected String determineTargetUrl(HttpServletRequest request, HttpServletResponse response,
                                      Authentication authentication) {

    UriComponents baseUrl = UriComponentsBuilder
      .fromHttpUrl(UrlUtils.buildFullRequestUrl(request))
      .replacePath(request.getContextPath())
      .replaceQuery(null)
      .fragment(null)
      .build();

    return UriComponentsBuilder
      .fromUri(URI.create(logoutUrl))
      .queryParam("client_id", clientId)
      .queryParam("logout_uri", baseUrl)
      .encode(StandardCharsets.UTF_8)
      .build()
      .toUriString();
  }
}

Describe the solution you'd like

For Spring Cloud AWS + Spring Security + AWS Cognito setup, end-users should be fully logged-out when they log out from the application (invalid Spring Session) and at the identity provider.

Describe alternatives you've considered

Some use cases might not favor a fully-loggout for e.g. SSO with other applications. Hence the fully logout should be an opt-in and not applied automatically.

Additional context

I've already blogged about a possible Spring Security and AWS Cognito OIDC logout to demonstrate a possible solution.

I'm looking forward to provide a PR with a possible solution in case you think it makes sense to add this feature.

[maciejwalkowiak]

@eddumelendez your voice is very welcome here.

[eddumelendez]

this sounds good to me. I would suggest to have CognitoLogoutSuccessHandler and then an auto-configuration that creates the bean.

@rieckpil would you like to contribute to this one?

[rieckpil]

thanks for getting back to this issue 🙏 Yes, I'd like to contribute to this.

[eddumelendez]

it's yours.

[maciejwalkowiak]

To avoid double-work - ideally this should be done as a part of Cognito integration in 3.0 (migrated to AWS SDK v2)

[rieckpil]

Thanks for the info 👍 I should get to it in the next 1-2 weeks 🚀

[maciejwalkowiak]

nice thats awesome! Since i haven't touched much Cognito integration, @eddumelendez is a person to bug about it ;-)

Keep in mind that we've reorganised branches a bit - main is now where 3.0 development happens.

[rieckpil]

I'm a bit confused with the re-organization. I don't see any Cognito-relevant code in spring-cloud-aws-autoconfigure while in 2.4.x there's code available.

Do I first have to migrate the 2.4.x Cognito code to the main branch or how would you (@eddumelendez) recommend to integrate my new class?

In short, I need to add a new property to CognitoAuthenticationProperties and add a bean factory for LogoutSuccessHandler to CognitoAuthenticationAutoConfiguration. I have an early WIP (branching of 2.4.x here).

[maciejwalkowiak]

As far as I understand - to get basic Cognito auth we do not anything custom as it has been already covered by Spring Boot and Spring Security. For the purpose of implementing OIDC Logout we need CognitoProperties and perhaps a separate module for Cognito? @eddumelendez your opinion will be appreciated.

[dominik-kovacs]

Do we have any update on this?

[maciejwalkowiak]

@poklakni we are not actively working on this, I'll mark it as open for contributions.

[rieckpil]

I stopped working on the WIP (see here) after I didn't get any answer. Feel free to take over 🚀