React SPA - Unable to properly logout

Question

React SPA - Unable to properly logout

ETFairfax opened this issue 7 months ago · 3 comments

Hello,

I've a simple app with the copy/paste code from the installation instructions with some additions.

I am able to click Sign. Doing so redirects my to OIDC Sign In screen, I fill in credentials, then I am redirected back to my React SPA and my access token is available. All good so far👍

However, clicking Sign Out I am redirected to OP /logout. If I then navigate back to the React SPA, when I click Sign In I am automatically signed in without being asked for credentials. How is that so?

I've cleared all application storage and it still seems to know who I am? The only way I get to the login screen, is if I open an Incognito tab.

My Sign Out button has the following handler:

const handleSignOut = async () => {
    await auth.signoutRedirect({
      extraQueryParams: {
        client_id: oidcConfig.client_id,
        redirect_uri: 'http://localhost:4200',
        response_type: 'code'
      }
    });
    await auth.removeUser();
  };

const oidcConfig: AuthProviderProps = {
  authority: 'https://cognito-idp.region-xyz-1.amazonaws.com/my-pool-id',
  client_id: 'xyz',
  redirect_uri: 'http://localhost:4200', // Redirect URL must match cognitos App client > Hosted UI > Allowed callback URLs
  onSigninCallback,
  // https://github.com/authts/oidc-client-ts/blob/main/docs/index.md#provider-specific-settings
  // no revoke of "access token" (https://github.com/authts/oidc-client-ts/issues/262)
  revokeTokenTypes: ['refresh_token'],
  // no silent renew via "prompt=none" (https://github.com/authts/oidc-client-ts/issues/366)
  automaticSilentRenew: false
};

Any ideas?

Edit: Could this be the issue? https://stackoverflow.com/questions/49309928/cant-destroy-aws-cognito-session-from-within-react-application

Answer 1 · 2024-04-17T12:12:51.000Z

However, clicking Sign Out I am redirected to OP /logout. If I then navigate back to the React SPA, when I click Sign In I am automatically signed in without being asked for credentials. How is that so?

Is there a session cookie placed by cognito-idp?

Answer 2 · 2024-04-17T12:22:06.000Z

However, clicking Sign Out I am redirected to OP /logout. If I then navigate back to the React SPA, when I click Sign In I am automatically signed in without being asked for credentials. How is that so?

Is there a session cookie placed by cognito-idp?

Looks like /oauth2/idpresponse does set a cognito cookie

...but how would that take effect if I clear all cookies (via dev tools)?