OIDC Logout for AWS Cognito

[rieckpil]

Type: Feature

Is your feature request related to a problem? Please describe.

AWS Cognito doesn't implement the OpenID Connect RP-Initiated Logout specification (in draft) yet. When using AWS Cognito together with Spring Security for OAuth 2.0 Login (aka. OIDC) every user will still be logged in at the identity provider when they logout at the Spring backend. Spring Security already provides a OidcClientInitiatedLogoutSuccessHandler to logout the end-user also at the identity provider (technically an additional HTTP call to the identity provider when the user decided to logout), but as AWS Cogntio doesn't implement the spec, it's of little help.

For Stratospheric we implemented our own SimpleUrlLogoutSuccessHandler to achieve the full logout. Our (naive) solution looks like the following:

public class CognitoOidcLogoutSuccessHandler extends SimpleUrlLogoutSuccessHandler {

  private final String logoutUrl;
  private final String clientId;

  public CognitoOidcLogoutSuccessHandler(String logoutUrl, String clientId) {
    this.logoutUrl = logoutUrl;
    this.clientId = clientId;
  }

  @Override
  protected String determineTargetUrl(HttpServletRequest request, HttpServletResponse response,
                                      Authentication authentication) {

    UriComponents baseUrl = UriComponentsBuilder
      .fromHttpUrl(UrlUtils.buildFullRequestUrl(request))
      .replacePath(request.getContextPath())
      .replaceQuery(null)
      .fragment(null)
      .build();

    return UriComponentsBuilder
      .fromUri(URI.create(logoutUrl))
      .queryParam("client_id", clientId)
      .queryParam("logout_uri", baseUrl)
      .encode(StandardCharsets.UTF_8)
      .build()
      .toUriString();
  }
}

Describe the solution you'd like

For Spring Cloud AWS + Spring Security + AWS Cognito setup, end-users should be fully logged-out when they log out from the application (invalid Spring Session) and at the identity provider.

Describe alternatives you've considered

Some use cases might not favor a fully-loggout for e.g. SSO with other applications. Hence the fully logout should be an opt-in and not applied automatically.

Additional context

I've already blogged about a possible Spring Security and AWS Cognito OIDC logout to demonstrate a possible solution.

I'm looking forward to provide a PR with a possible solution in case you think it makes sense to add this feature.

[maciejwalkowiak]

@eddumelendez your voice is very welcome here.

[eddumelendez]

this sounds good to me. I would suggest to have CognitoLogoutSuccessHandler and then an auto-configuration that creates the bean.

@rieckpil would you like to contribute to this one?

[rieckpil]

thanks for getting back to this issue 🙏 Yes, I'd like to contribute to this.

[eddumelendez]

it's yours.

[maciejwalkowiak]

To avoid double-work - ideally this should be done as a part of Cognito integration in 3.0 (migrated to AWS SDK v2)

[rieckpil]

Thanks for the info 👍 I should get to it in the next 1-2 weeks 🚀

[maciejwalkowiak]

nice thats awesome! Since i haven't touched much Cognito integration, @eddumelendez is a person to bug about it ;-)

Keep in mind that we've reorganised branches a bit - main is now where 3.0 development happens.