aws-amplify/aws-sdk-ios

AWSCognitoAuth.m log out issue

Opened this issue · 1 comments

Describe the bug
This has been going on for quite a while for us and affects the log out feature of AWSMobileClient. We are using 3rd parties SSOs configured in cognito to login our users. Everything is configured correctly and works (almost) for years. Login is always OK.
But, log out has some issues as follows:

Observed Behavior

If I call AWSMobileClient.default().signOut(options: SignOutOptions(signOutGlobally: true, invalidateTokens: true)) { error in .... }, it never returns back from aws code. It gets stuck somewhere on the way and app doesn't log out correctly.

I started to dig deeper into AWS code and try to find out where it gets stuck. Everything boils downto AWSCognitoAuth.m, around line 918 in the current version.
It's a method (old ObjectiveC) called processURL that has this condition:

elseif [urlLowerCaseString hasPrefix:signOutRedirectLowerCaseString]) { ... } . This is the if-else branch where it should go when logging out.

The problem is that the condition is false so the entire function returns NO, thus blocking everything and not returning any answer to AWSMobileClient (that's a problem in itself, even if the elseif is wrong, it should never get stuck).

Now the reason why that else if condition is wrong is because my values are something like this:

urlLowerCaseString = prod-XXX://signout
signOutRedirectLowerCaseString = https%3a%2f%2flogin.XXX.fr%2XYZ%2fauth-ui%2flogout%3fclient_id%3YYYYYYY%26post_logout_redirect_uri%3dprod-XXX%3a%2f%2fsignout (i masked out the actual ids)

So as you can see the else if will never be true and it will never execute the logout code.

Everytime I do a pod install, I have to manually change the else if to:

else if ([signOutRedirectLowerCaseString containsString:[self fullEncodeObjc:urlLowerCaseString]]) { ...}

and create a func myself:

  • (NSString *)fullEncodeObjc:(NSString *)str {
    NSCharacterSet *customAllowedCharacterSet = [[NSCharacterSet characterSetWithCharactersInString:@":=/?&"] invertedSet];

    NSString *encodedString = [str stringByAddingPercentEncodingWithAllowedCharacters:[NSCharacterSet URLQueryAllowedCharacterSet]];
    return [[encodedString stringByAddingPercentEncodingWithAllowedCharacters:customAllowedCharacterSet] lowercaseString];
    }

Our configuration is correct and it WORKS in the Android SDK.

Can you please explain what's happening and why the logout condition is 'wrong' ?

Expected Behavior
signOut should return in the callback, not get stuck in aws code.

Areas of the SDK you are using (AWSMobileClient, Cognito, Pinpoint, IoT, etc)?
Cognito, AWSMobileClient

Environment(please complete the following information):
Doesn't really matter, it happens for at least 1+ years, with various AWS versions (including last) and various iOS/XCode

Log Messages
INSERT LOG MESSAGES HERE

@dcristolovean Do you want to open a PR with that fix? And our team will look into it.