Queries Regarding OIDC Client Library Integration and Usage

[HP-hariprasad]

I am currently working on a personal project that integrates the OIDC Client library for authentication against AWS Cognito. I must express my appreciation for your work on developing such a comprehensive and versatile library that has significantly facilitated the authentication process.

However, as I delve deeper into implementing the library within my project, I have encountered a few queries that your expertise could greatly help me with.

Logout Flow with AWS Cognito:
The OIDC Client library seamlessly handles the login flow with AWS Cognito, providing a smooth user experience. Nevertheless, I need help managing the logout flow. Please provide guidance or insight into how the logout flow should be managed effectively with Amazon Cognito using the OIDC Client library.

Logout Flow with SAML and OKTA in AWS Cognito:
I have also been exploring integrating the OIDC Client library with SAML authentication through OKTA within the AWS Cognito environment. While the library excels at facilitating the login process, I am experiencing difficulties in appropriately handling the logout flow.

CORS Error Handling and Access-Control-Allow-Origin Header:
During my implementation, I encountered CORS errors while making requests to AWS. To mitigate this, I am interested in understanding how the OIDC Client library can be configured to effectively manage CORS issues. Additionally, if I wish to include the Access-Control-Allow-Origin: * header in the request headers for GET requests from my application, could you provide guidance on how to achieve this?

I am highly impressed by the capabilities of the OIDC Client library and would greatly appreciate your insights and guidance on these matters. Your expertise will undoubtedly help me overcome these challenges and ensure the successful implementation of the library within my project.

Moreover, if you could provide any usage guidelines, best practices, or resources specific to the scenarios I've outlined, it would immensely assist me in achieving a seamless integration.

Thank you for your time and consideration. Your assistance in resolving these queries would be invaluable to me, and I am genuinely looking forward to your response.

[ayZagen]

Hello,

I haven't used AWS Cognito but after checking their documentation, it seems AWS Cognito expects different parameters from OIDC Specification.

To logout you need to override logout function for oidc-client-js. Here is a snippet:

import { OIDCClient } from '@plusauth/oidc-client-js'

OIDCClient.prototype.logout = async function (options) {
 // append additional logout params if required
  let logoutParams = `?client_id=${encodeURIComponent(this.options.client_id)}`;
  logoutParams += `&logout_uri=${encodeURIComponent(this.options.post_logout_redirect_uri)}`;

  if ( !options.localOnly ) {
    window.location.assign( `${ this.options.endpoints!.end_session_endpoint }${logout_params}` )
  }
  await this.authStore.clear()
}

Make sure to include snippet before you construct an instance of OIDCClient.

Also I don't know if AWS Cognito returns end_session_endpoint from their oidc specification url. If not replace ${ this.options.endpoints!.end_session_endpoint } with correct url which sould be like this:
https://mydomain.auth.us-east-1.amazoncognito.com/logout

Reference: https://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.html

[ayZagen]

Please let me know if it works out

[HP-hariprasad]

Thanks for your kindly support, let me check with the solution you provided me and get back to you, and by the way is there any way to append the ‘ access control allow origin : * ‘in the headers of the any request ?

…

On Tue, Aug 29, 2023 at 1:39 PM ayZagen ***@***.***> wrote: Please let me know if it works out — Reply to this email directly, view it on GitHub <#16 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AGDNVUFRQDIB5EXOUL3QYCLXXYSMHANCNFSM6AAAAAA4DIISGE> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[ayZagen]

Where exactly do you receive CORS errors ? It would be helpful to share request/response.

To pass extra headers you can use extraTokenHeaders option to OIDCClient. But that option will only be used in oauth2/oidc token endpoint which invokes a POST request.

Logout request is made by redirecting to the page so it is not a AJAX request. It won't invoke any cors issues at all.

Also Access-Control-Allow-Origin won't have any effect as it is set by server in this case AWS Cognito.

[HP-hariprasad]

I am getting the CORS errors when the initialize method is called, when it triggers the get request to retrieve the well known configurations for the issuer. Yes I see the cors are triggered by the aws cognito in this case, but what I am thinking is if I explicitly pass the Access-Control-Allow-Origin as * in the header when the get request is triggered would suffice the cors error. Correct me if I'm wrong. Thanks

…

On Tue, Aug 29, 2023 at 2:00 PM ayZagen ***@***.***> wrote: Where exactly do you receive CORS errors ? It would be helpful to share request/response. To pass extra headers you can use extraTokenHeaders option to OIDCClient. But that option will only be used in oauth2/oidc token endpoint which invokes a POST request. Logout request is made by redirecting to the page so it is not a AJAX request. It won't invoke any cors issues at all. Also Access-Control-Allow-Origin won't have any effect as it is set by server in this case AWS Cognito. — Reply to this email directly, view it on GitHub <#16 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AGDNVUE2PEDLK2KTSWCI4ETXXYU4NANCNFSM6AAAAAA4DIISGE> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[ayZagen]

Passing headers won't do anything in this case. If it is in initialization stage than make sure your issuer url is correct.

For AWS Cognito it should be like this:
https://cognito-idp.{REGION}.amazonaws.com/{your user pool ID}

If after you are sure the issuer is correct and you still get a CORS error please share request/response with me from your browsers developer tools.

Reference: https://docs.aws.amazon.com/cognito/latest/developerguide/federation-endpoints.html

[HP-hariprasad]

Okay, let me check

…

On Tue, Aug 29, 2023 at 2:17 PM ayZagen ***@***.***> wrote: Passing headers won't do anything in this case. If it is in initialization stage than make sure your issuer url is correct. For AWS Cognito it should be like this: https://cognito-idp.{REGION}.amazonaws.com/{your <http://amazonaws.com/%7Byour> user pool ID} If after you are sure the issuer is correct and you still get a CORS error please share request/response with me from your browsers developer tools. Reference: https://docs.aws.amazon.com/cognito/latest/developerguide/federation-endpoints.html — Reply to this email directly, view it on GitHub <#16 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AGDNVUD7NTNMFEWULPPMHTDXXYW3HANCNFSM6AAAAAA4DIISGE> . You are receiving this because you authored the thread.Message ID: ***@***.***>