Hello, @cranberyxl 👋 and thank you for opening this issue. Can you confirm that you're only seeing this issue when you upgraded to v6, and if you downgrade back to v.5x that the problem goes away?

The problem goes away in v5 only because we can use a custom webview solution like react-native-inappbrowser-reborn and as far as I can tell, the no https restriction was added in v6

@cranberyxl, thank you for the confirmation. I'll mark this as a bug then and review this with the team internally. We'll comment back with updates or further questions as we make progress.

cranberyxl when you configured SSO provider on Amazon Cognito you dont need to go to the sign out endpoint manually, you can configure that directly on Cognito. Have you tried that?

More information on Cognito docs

@elorzafe The nature of our auth setup does not allow for this. We need the ability to use different redirect urls in different scenarios on the react-native experience just like we would be able to do in a web context.

Hey @cranberyxl 👋 what is the use case you're looking to address where the Cognito-initiated IdP signout is not sufficient? Is there a particular solution you have in mind to address this?

@josefaidt Our authentication situation involes an upstream OIDC connection that then provides the SSO experience.

Cognito --OIDC--> Upstream IdP --SAML/OIDC--> IdP providing SSO experience

I have not been able to get the upstream provider to logout without directly calling its logout url as part of the logout redirect, which then properly handles the auth cookies in the browser session.

I don't understand why I can't provide a completely valid https signOut url to the new amplify library when using react native. I'm also very confused as to why there would be an array of signOut urls when only one of them can be redirected to after cognito signs out.

Ah thanks for the clarification @cranberyxl ! The OIDC provider is a great callout, as unfortunately the "single logout (SLO)" feature is only supported for SAML IdP's.

When a user signs in with third-party identity providers (IdPs), there's an extra step to perform. If a user signs in using one of the third-party IdPs, then visiting the logout endpoint clears the "cognito" cookie from the browser. However, the IdP can still have an active session. Consider the following information when you're clearing out the user's IdP session:

• Amazon Cognito supports the single logout (SLO) feature for Security Assertion Markup Language version 2.0 (SAML 2.0) IdPs with HTTP POST Binding. If your provider accepts HTTP POST Binding on its SLO endpoint, then consider implementing SLO for SAML IdPs. If a user visits the logout endpoint with SLO turned on, then Amazon Cognito sends a signed logout request to the SAML IdP. Then, the SAML IdP clears the IdP session.
• For social and OpenID Connect (OIDC) IdPs, you must create a custom workflow to clear the IdP session from the browser.

https://repost.aws/knowledge-center/cognito-logout-endpoint-globalsignoutapi

From the information above this falls into the "custom workflow" callout for OIDC IdP's to initiate the upstream signout.

I don't understand why I can't provide a completely valid https signOut url to the new amplify library when using react native. I'm also very confused as to why there would be an array of signOut urls when only one of them can be redirected to after cognito signs out.

This is a valid callout! We do allow configuring multiple signin/signout redirect URI's, however it is not surfaced to the client API as you've experienced. Although, this would be desirable for custom flows like you have where you're attempting to initiate signout for your upstream OIDC provider.

Let me chat with the team and follow-up with next steps 🙂

Hey @cranberyxl 👋 to provide an update here we'll keep this issue labeled as-is as we work towards a solution to enable this in favor of supporting upstream signout for oidc flows.

Any update on this?