oidc-cognito authenticator - log out process using AWS Cognito

[Jakub A]

Hello, 

I use Cognito to authenticate with Velociraptor as part of the OIDC configuration. Login process works , but I have found that there is a problem to trigger log out process. In case of AWS Cognito it allows to use "Sign out URL(s)" by which it immediately close the session.
When I request Velociraptor session to be closed as the client from GUI requests is generated as follows https://URL/app/logoff.html?username=USERNAME , which only closes internal session, but not the Cognito . I think at this stage Cognito GET request is not called as it's not configured. 

Here is the sample of the Cognito log GET request.

GET https://<YOUR DOMAIN NAME>/logout?
client_id=xxxxxxxxxxxx&
logout_uri=com.myclientapp://myclient/logout

I wonder, how can I achieve that, as I can't find that option in the OIDC configuration.

br
Jakub 

[Mike Cohen]

I am not sure what you mean by logging off cognito - we only use oidc to verify the user and then exchange the auth with a session cookie. The logout page will delete the session cookie and so the user will be required to log in again.

BTW We found in the past that cognito was not standard compliant and buggy so there is actually a special oidc-cognito authenticator that works around some of the issues with this provider. Just use "oidc-cognito" as the authenticator in the config file.

https://github.com/Velocidex/velociraptor/blob/7b8fbf088d4eb6b44f834d4e22c5a0cb3b073c5d/api/authenticators/oidc_cognito.go#L93

Thanks

Mike

Mike Cohen  Digital Paleontologist,  Velocidex Enterprises E mi...@velocidex.com

--
You received this message because you are subscribed to the Google Groups "velociraptor-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to velociraptor-dis...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/velociraptor-discuss/030caf3c-4869-49f3-afaf-6aa5dd4300dfn%40googlegroups.com.