feat(oauth): Support AWS Cognito OAuth2 provider (#37607)

Using the standard OpenID Connect OAuth2 provider type doesn't work well for AWS Cognito. Most of the functionality works absolutely fine, however the query parameter `post_logout_redirect_uri` is not understood by Cognito and results in a bad experience when logging out. To combat this i've added a new `AWS Cognito` provider which is almost identical to the `Open ID Connect` type except it overrides the query parameter to `logout_uri` which is what Cognito expects. <img width="647" height="272" alt="image" src="https://github.com/user-attachments/assets/d4bb30e2-f25e-41a1-91cb-4efa67137c57" /> This then results in a nice experience logging out with no errors seen - even though the logout does succeed. Why AWS thought they would deviate from the OAuth spec in this particular area is beyond me... --------- Co-authored-by: Tom Thornton <tom.thornton@sony.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Nicolas <bircni@icloud.com>
2026-05-18 11:10:00 +00:00 · 2026-05-16 11:41:11 +01:00
parent 34fd3c9f06
commit 96e0dc15a3
3 changed files with 31 additions and 1 deletions
--- a/routers/web/auth/oauth.go
+++ b/routers/web/auth/oauth.go
@@ -561,7 +561,15 @@ func buildOIDCEndSessionURL(ctx *context.Context, doer *user_model.User) string
 	// https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout
 	params := endSessionURL.Query()
 	params.Set("client_id", oauth2Cfg.ClientID)
-	params.Set("post_logout_redirect_uri", httplib.GuessCurrentAppURL(ctx))
+
+	// AWS Cognito uses "logout_uri" instead of the standard "post_logout_redirect_uri"
+	redirectURI := httplib.GuessCurrentAppURL(ctx)
+	if oauth2Cfg.Provider == oauth2.ProviderNameAwsCognito {
+		params.Set("logout_uri", redirectURI)
+	} else {
+		params.Set("post_logout_redirect_uri", redirectURI)
+	}
+
 	endSessionURL.RawQuery = params.Encode()
 	return endSessionURL.String()
 }
--- a/services/auth/source/oauth2/providers_custom.go
+++ b/services/auth/source/oauth2/providers_custom.go
@@ -120,4 +120,25 @@ func init() {
 			}), nil
 		},
 	))
+
+	RegisterGothProvider(&AwsCognitoProvider{})
 }
+
+const ProviderNameAwsCognito = "aws-cognito"
+
+// AwsCognitoProvider is a GothProvider for AWS Cognito (based on OpenID Connect)
+type AwsCognitoProvider struct {
+	OpenIDProvider
+}
+
+// Name provides the technical name for this provider
+func (c *AwsCognitoProvider) Name() string {
+	return ProviderNameAwsCognito
+}
+
+// DisplayName returns the friendly name for this provider
+func (c *AwsCognitoProvider) DisplayName() string {
+	return "AWS Cognito"
+}
+
+var _ GothProvider = &AwsCognitoProvider{}
--- a/web_src/js/features/admin/common.ts
+++ b/web_src/js/features/admin/common.ts
@@ -86,6 +86,7 @@ function initAdminAuthentication() {
    const provider = document.querySelector<HTMLInputElement>('#oauth2_provider')!.value;
    switch (provider) {
      case 'openidConnect':
+      case 'aws-cognito':
        document.querySelector<HTMLInputElement>('.open_id_connect_auto_discovery_url input')!.setAttribute('required', 'required');
        showElem('.open_id_connect_auto_discovery_url');
        showElem('.open_id_connect_external_id_claim');