On signout Required String parameter 'redirect_uri' is not present
Dhyanesh97 opened this issue · 5 comments
I followed steps mentioned in below blog:
https://medium.com/@saurishkar/setting-up-aws-http-authentication-on-cloudfront-s3-using-cognito-and-lambda-edge-166ee38d471e
Set below parameters:
CreateCloudFrontDistribution => False
EnableSPAMode => False
OAuthScopes => email, openid
mentioned User pool details
Cloudfront configuration:
When I redirect app to URL "<<'Your CloudFront url'>>/signout" it gives below error in browser.
In Congnito, under app client setting I mentioned URL's as below.
Any help appreciated.
I am able to move ahead by updating signout URL in cognito.
From: "<<'Your CloudFront url'>>/signout"
To: "<<'Your CloudFront url'>>/"
But when I call "<<'Your CloudFront url'>>/signout" it is not redirecting me to login page. It just come back to same page and show same content unless i refresh the page manually. On manual refresh of the page it redirects me to the login page again.
Am i doing anything wrong ?
Hi @Dhyanesh97
Here's a little explanation on how it is supposed to work.
SignOutUrl (default value /signout) is the path you can visit to sign out your user -- meaning to clear the JWTs from the Cookies and also sign out from the Cognito Hosted UI.
So if your Auth@Edge CloudFront URL is e.g. https://12345678.cloudfront.net then you could open https://12345678.cloudfront.net/signout in your browser to sign you out from Auth@Edge.
Signing out like that works as follows:
- First your JWT cookies are cleared (by Lamba@Edge)
- You are redirected to the Cognito signout endpoint (to sign you out from Cognito)
- After signout at Cognito, you are redirected back to your your CloudFront distribution, at the
RedirectPathSignOut(so e.g. https://12345678.cloudfront.net/) - Since you are now no longer signed in, Auth@Edge should kick in, and redirect you to the Cognito Hosted UI to sign-in
(Yes it's redirect galore)
So, the RedirectPathSignOut is where Cognito redirects you back to at step 3 above, and must indeed match the value of "Sign Out URL(s)" in your app client config.
Hope that helps.
I see you're setting CreateCloudFrontDistribution to false, which means you must wire in the Authe@Edge lambda functions into your own CloudFront distribution. An example of how to do that is here. I think in order to help you debug your template, could you paste your CloudFormation template here (redacting out any sensitive things).
Have you solved your issues @Dhyanesh97 ?
I am able to move ahead by updating signout URL in cognito. From: "<<'Your CloudFront url'>>/signout" To: "<<'Your CloudFront url'>>/"
But when I call "<<'Your CloudFront url'>>/signout" it is not redirecting me to login page. It just come back to same page and show same content unless i refresh the page manually. On manual refresh of the page it redirects me to the login page again.
Am i doing anything wrong ?
Yes I solved the issue by adding refresh page in the code itself because angular wasn't refreshing entire page on logout.
Thank you for the explanation.
Great to hear !