diff --git a/routers/web/auth/oauth.go b/routers/web/auth/oauth.go index d42ec88ac6..867106d352 100644 --- a/routers/web/auth/oauth.go +++ b/routers/web/auth/oauth.go @@ -561,7 +561,15 @@ func buildOIDCEndSessionURL(ctx *context.Context, doer *user_model.User) string // https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout params := endSessionURL.Query() params.Set("client_id", oauth2Cfg.ClientID) - params.Set("post_logout_redirect_uri", httplib.GuessCurrentAppURL(ctx)) + + // AWS Cognito uses "logout_uri" instead of the standard "post_logout_redirect_uri" + redirectURI := httplib.GuessCurrentAppURL(ctx) + if oauth2Cfg.Provider == oauth2.ProviderNameAwsCognito { + params.Set("logout_uri", redirectURI) + } else { + params.Set("post_logout_redirect_uri", redirectURI) + } + endSessionURL.RawQuery = params.Encode() return endSessionURL.String() } diff --git a/services/auth/source/oauth2/providers_custom.go b/services/auth/source/oauth2/providers_custom.go index 65cf538ad7..6a4098dda6 100644 --- a/services/auth/source/oauth2/providers_custom.go +++ b/services/auth/source/oauth2/providers_custom.go @@ -120,4 +120,25 @@ func init() { }), nil }, )) + + RegisterGothProvider(&AwsCognitoProvider{}) } + +const ProviderNameAwsCognito = "aws-cognito" + +// AwsCognitoProvider is a GothProvider for AWS Cognito (based on OpenID Connect) +type AwsCognitoProvider struct { + OpenIDProvider +} + +// Name provides the technical name for this provider +func (c *AwsCognitoProvider) Name() string { + return ProviderNameAwsCognito +} + +// DisplayName returns the friendly name for this provider +func (c *AwsCognitoProvider) DisplayName() string { + return "AWS Cognito" +} + +var _ GothProvider = &AwsCognitoProvider{} diff --git a/web_src/js/features/admin/common.ts b/web_src/js/features/admin/common.ts index f0c0f5bee6..5753aad2b2 100644 --- a/web_src/js/features/admin/common.ts +++ b/web_src/js/features/admin/common.ts @@ -86,6 +86,7 @@ function initAdminAuthentication() { const provider = document.querySelector('#oauth2_provider')!.value; switch (provider) { case 'openidConnect': + case 'aws-cognito': document.querySelector('.open_id_connect_auto_discovery_url input')!.setAttribute('required', 'required'); showElem('.open_id_connect_auto_discovery_url'); showElem('.open_id_connect_external_id_claim');