We can't sign out the user which is signInWithSocialWebUI

[ScottLu77]

Before opening, please confirm:

• I have searched for duplicate or closed issues and discussions.

Language and Async Model

Kotlin

Amplify Categories

Authentication

Gradle script dependencies

// Put output below this line
dependencies {
    implementation 'com.amplifyframework:aws-api:2.18.0'
    implementation 'com.amplifyframework:aws-auth-cognito:2.18.0'
    ....
}

Environment information

# Put output below this line
------------------------------------------------------------
Gradle 7.4
------------------------------------------------------------

Build time:   2022-02-08 09:58:38 UTC
Revision:     f0d9291c04b90b59445041eaa75b2ee744162586

Kotlin:       1.5.31
Groovy:       3.0.9
Ant:          Apache Ant(TM) version 1.10.11 compiled on July 10 2021
JVM:          17.0.6 (JetBrains s.r.o. 17.0.6+0-17.0.6b829.9-10027231)
OS:           Linux 6.5.0-35-generic amd64

Please include any relevant guides or documentation you're referencing

No response

Describe the bug

We can't sign out the user which is signInWithSocialWebUI.
When I call signout and it will popup a webview instead redirect back to my app.

Reproduction steps (if applicable)

1. Call Amplify.Auth.signInWithSocialWebUI(AuthProvider.custom(provider),...)
2. Call Amplify.Auth.signOut()
3. Web view opens
4. Web view does signout through the url set
5. Never redirect to app later unless I manually close it.

Code Snippet

// Put your code below this line.
Amplify.Auth.signOut { signOutResult ->
            when(signOutResult) {
                is AWSCognitoAuthSignOutResult.CompleteSignOut -> {
                    continuation.resume(true)
                }
                is AWSCognitoAuthSignOutResult.FailedSignOut -> {
                    continuation.resume(false)
                }
            }
        }

Log output

// Put your logs below this line

amplifyconfiguration.json

{
    "UserAgent": "aws-amplify-cli/2.0",
    "Version": "1.0",
    "auth": {
        "plugins": {
            "awsCognitoAuthPlugin": {
                "UserAgent": "aws-amplify-cli/0.1.0",
                "Version": "0.1.0",
                "IdentityManager": {
                    "Default": {}
                },
                "Auth": {
                    "Default": {
                        "OAuth": {
                            "WebDomain": "xxx",
                            "AppClientId": "xxx",
                            "SignInRedirectURI": "xxx",
                            "SignOutRedirectURI": "myapp://",
                            "Scopes": [
                                "aws.cognito.signin.user.admin",
                                "email",
                                "openid",
                                "profile"
                            ]
                        },
                        "authenticationFlowType": "USER_SRP_AUTH"
                    }
                }
            }
        }
    }
}

GraphQL Schema

// Put your schema below this line

Additional information and screenshots

We are using AWS SAML provider(Azure), and enable "Sign-out flow" of the custom provider

[tylerjroach]

Do you have your signout redirect url configured correctly through Cognito and your SAML provider?

Please post how HostedUIRedirectActivity is configured in your manifest. The redirect comes from the browser. If the app is correctly configured to receive the redirect, then there is a misconfiguration on the service side in failing to provide the redirect.

[ScottLu77]

Hi tyler,

Thanks for your reply and here are my configurations

1. we declare SignOutActivity in AndroidManifest.xml as follows

2. Here is my amplifyconfiguration.json

3. Here are the settings in AWS Cognito App integration

[ScottLu77]

Besides, we have turned on "Sign-out flow" to log out Microsoft Entra which is our identity provider when calling Amplify.Auth.signout()

In this case, we found that during sign out, it will popup WebView and open two pages
The first one shows Microsoft account has been logged out.
The second one shows your AWS account has been logged out.

By the way, I found that the second WebView Uri is abnormal as follows
"https://login.microsoftonline.com/87d9efc2-1ebc-4845-a670-4356471354cb/oauth2/logoutredirect?lc=1028"
instead of
"xxxxx/logout_uri=androidvortex%3A%2F%2F"
I guess that's why it can't redirect to our app.

[tylerjroach]

I've had another report in the past on issues with receiving the signout redirect with a Microsoft SAML and I'm not sure I ever received a final response from the customer as to what the issue was. Let me see if I can ask around some of our teams to see if they are familiar with what may be happening.

[ScottLu77]

Hi tyler, thanks for your quick response. we look forward to have a solution in the future.

[AzureLiao]

Same issue here, anything update? Thanks.

[tylerjroach]

I believe there's a likely misconfiguration on the Entra side. I was able to test with an Entra account and both signIn and signOut worked without issue.

Here is how the logout redirect is configured on the Entra side.

[ScottLu77]

Hi tyler, unfortunately, I followed your instruction to add logout URL, however it doesn't work.

Our application is pending in this web page and the url is as follows.

"https://hulkdevsignup.auth.ap-northeast-1.amazoncognito.com/saml2/logout?SAMLResponse=fZLBbtswDIZfxdBdlixLliw4Bor1EqC9LEUPuwyKxCRGbckw5bXY0y9x0EOBoUcS%2fMn%2fI9mhm8bZPqVzWvNPwDlFhGL%2fuCO%2f66BaZaCm0jSayhNv6fHoNW2N0BDa5sSNJMUrLDikuCOi5KTYI66wj5hdzNcUF5LyhlbVC9dWSStFqVrxixSPgHmILm%2fKS84zWsYu6%2fgW4A8O57jOpVvzpXQzjWnJF3CYaVW6yf1N0adzHHIqfZrYzb5g42b%2fOj5%2bIrykG4EKRhgfaMurQKU%2bVdR5oWntjHHK8wC8IsXHNEa02x52ZF2iTQ4HtNFNgDZ7e3h4frJXOjsvKSefRtJ3G%2bdyl34vcoiw3DhJ%2f8mJGcv3IYb0jmWEzIwOLZy8oBUc%2fXXbUlHXaE5lrRqpq1pJf2Qdu8%2fsu%2fvFDtnlFb9GP1KA4tWNK3zvCbdqe1i9B0TC%2bo59bcr%2b9xX9Pw%3d%3d&RelayState=H4sIAAAAAAAAAFWOvW6EMBCE38U15lh7AUOXFHfNpcoDRHv-AQ6wERh0SpR3jynTjWY-zcwPI9YyWrgPa-wtbZHD1_vrhtduvc4sY48US1tiZYzjBkBx1A_HARqEGkGKxOiT8drtJEMvD5D6GWGU_jl6XWwJMOeGN2sYzJF27Ku9XJLtkv359nFPckqy36fR2GMbOr8vOe2xz_8fy2mm7-B16PwQQ67DeXBmLdSgikagEhlbWOto2mzG1lTpqEaBQnAyVHEsUHLlmpq7spQVVcpZU7LfP_a36kcFAQAA.H4sIAAAAAAAAAAEgAN__5lvEP8da-4JokdKt3JDIwTXgmpbb3Az-oigMPo-Lspy4GUWsIAAAAA.3&Signature=FhVCMk8cp5Kj5%2bpiOqgeiUSd4ivb%2fCI1%2fVCiN6eumUb8A0zAsrIB74804UWy%2bIKEFfWahWRrrkDzW%2bWgx8haGLfwn%2bVw1IItfQHd7NGIKFYpWKx5W6y9cYNKDw70MIRmeoF0KfDwDJYvmZFqFQbpnPNT0NEB7V9AMLB1X%2fxqSOd6XKnT0V8wV5bPPDZka78fl9kDP7NOs%2byJSkKU4EHhe8dVwM%2bsHWgDFgB019FZ1VWHkcFIyrZxpypnojJ4UD1iJhAuCFcwd5d2uGyuzOxuqZhYAxVBt0IyknzrxO1x5Gcavm78OpEaWt%2b28eNUBDfbZW7OuEJAUn67eC9RP0NiVA%3d%3d&SigAlg=http%3a%2f%2fwww.w3.org%2f2001%2f04%2fxmldsig-more%23rsa-sha256#"

[tylerjroach]

Hi @ScottLu77 I think we'e gotten the issue narrowed down.

I had not enabled the Sign Out Flow on the Cognito side. Once I did this, I was able to observe the same issue you were running into.

The Cognito documentation states: "Your IdP must send the LogoutResponse in an HTTP POST request."

I've found a post on a Microsoft support site that shows Entra does not support HTTP Post binding for sign out.

[ScottLu77]

Hi Tyler, thanks for your feedback.
We enabled the Sign Out Flow on the Cognito for letting user able to sso login with different social login from the same provider.
We had the same request like this 1287.
If there is any alternative solution, and it would be much appreciated.

[tylerjroach]

I'm sorry, without support from Entra on providing the LogoutResponse as an HTTP POST request, there are no alternatives I can provide.

The other issue we face is that Chrome Custom Tabs do not allow us to clear browser session/cookie information. This is the reason the signOut method is only able to clear credentials on the Cognito side, and not third party social provider.

[ScottLu77]

So you mean it's not possible letting user sso login to a different account without Google Android support?
Besides of that, enabling Sign Out Flow on Cognito will run into my problem and it's unsolvable either without Entra's support?

[tylerjroach]

The user could log into a different account if they open a web browser and log out of Microsoft Entra manually. I understand this is not a great experience but there are no API's that allow us to control web session/cookies from Microsoft in the browser. That is not something we have permission to do. Unfortunately due to Entra's limitation in providing the LogoutResponse, Cognito is not getting the required information it needs to complete the sign out and redirect the user back into the application.

[ScottLu77]

But why is that everything works well when I switch back to android-amplify v1 (1.38.8)?

[tylerjroach]

Hi @ScottLu77,

Amplify v1 had a 10 second wait on receiving the redirect. If the 10 second timeout was hit, the rest of the sign out (ex: clearing the local tokens) would succeed.

This behavior was modified in v2 to ensure that the browser signout succeeded. This decision was made because calling signInWithHostedUi after a failed browser sign out would automatically re-sign the user in as the cached user, even in the non-social sign in flow.

Can you please confirm how Amplify v1 appears on signOut. I would expect it to hang in the browser on the "An error was encountered with the requested page" screen. Then once 10 seconds is hit, or the user cancels, the local sign out proceeds.

If you are not seeing this behavior, please let me know. It would be helpful to provide logs of the v1 sign out and possibly provide a video where we can see the redirects happening.

[ScottLu77]

Hi Tyler, update Amplify v1 behavior for your reference.
After sign out, it will popup WebView and open two pages
The first one shows Microsoft account has been logged out.
The second one shows your AWS account has been logged out.

It seems that with Amplify V1, our app receive the redirect soon and sign out successfully without waiting for 10 second timeout.
attach logcat for your reference

signout_v1.txt

sign out timestamp is "06-17 16:18:39.893"

[tylerjroach]

The second one shows your AWS account has been logged out.

I'm not sure that is showing AWS. That link is still a Microsoft link, not a Cognito link.

Do you have to close each of the windows, or does the redirect happen and automatically close the windows?

We can take a look on v1 behavior on our end and update the ticket.

[ScottLu77]

The second one shows your AWS account has been logged out.

I'm not sure that is showing AWS. That link is still a Microsoft link, not a Cognito link.

Do you have to close each of the windows, or does the redirect happen and automatically close the windows?

We can take a look on v1 behavior on our end and update the ticket.

Yes, we need to programmatically close all windows and restart our app's welcome activity as follows.
val intent = Intent(context, WelcomeActivity::class.java)
intent.flags = Intent.FLAG_ACTIVITY_NEW_TASK or Intent.FLAG_ACTIVITY_CLEAR_TASK
context.startActivity(intent)

But at least the amplify v1 can be signed out successfully.

[tylerjroach]

Please provide a thumbs up or comment on this feature request ticket to help us prioritize a feature request that would allow local sign out to complete even if the sign out is cancelled (custom tab closed without receiving redirect). #2842