Cannot logout from AWS Cognito

[adrfinance]

Hello,
I am using a code that looks like:

logout(): void {
  console.log('🚪 Logging out...');
  localStorage.clear();
  this.resetCircuitBreaker();
  this.updateAuthState({
    isAuthenticated: false,
    user: null,
    isProcessing: false,
    error: null
  });

  // AWS Cognito logout + redirect to login page
  const clientId = '12312312';
  const currentUrl = window.location.href;

  const redirectUri = encodeURIComponent(
    currentUrl.includes('localhost:4200')
      ? 'http://localhost:4200'
      : 'https://website.ai'
  );

  // Use redirect_uri (not logout_uri) to show login page after logout
  const logoutUrl = `https://website.us-east-2.amazoncognito.com/logout?client_id=${clientId}&redirect_uri=${redirectUri}&response_type=code&scope=openid`;

  console.log('🔗 Logout URL:', logoutUrl);
  
  // Redirect to logout (will show login page)
  window.location.href = logoutUrl;
}

it takes me to a login page of cognito, but when I signed in I am still signed in as another user, which means it didn't log me out in the first place. What am I doing wrong? How can I fix this issue?

[theRizwan]

The Fix:

Use the proper format for the AWS Cognito logout URL:
https://your-domain.auth.region.amazoncognito.com/logout
with ONLY the required params:
- client_id
- logout_uri

So, in your case:
- client_id: The App Client ID from Cognito (no secret)
- logout_uri: The URL where the user should be redirected after logout

logout(): void {
  console.log('🚪 Logging out...');
  localStorage.clear();
  this.resetCircuitBreaker();
  this.updateAuthState({
    isAuthenticated: false,
    user: null,
    isProcessing: false,
    error: null
  });

  const clientId = '12312312';
  const currentUrl = window.location.href;

  const redirectUri = encodeURIComponent(
    currentUrl.includes('localhost:4200')
      ? 'http://localhost:4200'
      : 'https://website.ai'
  );

  // Use logout_uri (not redirect_uri)
  const logoutUrl = `https://website.auth.us-east-2.amazoncognito.com/logout?client_id=${clientId}&logout_uri=${redirectUri}`;

  console.log('🔗 Logout URL:', logoutUrl);

  window.location.href = logoutUrl;
}

The updated code clears localStorage, resets auth state, and then
redirects the user to the correct logout URL to fully end the session on Cognito's side.

Note:
If you're using social logins (like Google/Facebook), Cognito won't fully log the user out
from those providers, the user may still appear "logged in" on return unless you handle
federated logout separately.

For testing, Incognito mode can help confirm if the logout is really working, since cookies
and cache can interfere in regular tabs.

[adrfinance]

Hi Rizwan, I tried what you said but it still does not logout :( I don't understand why this happens!

…

On Thu, Jul 17, 2025, 21:35 Rizwan Saleem ***@***.***> wrote: *theRizwan* left a comment (aws-samples/amazon-cognito-passwordless-auth#249) <#249 (comment)> The Fix: Use the proper format for the AWS Cognito logout URL: https://your-domain.auth.region.amazoncognito.com/logout with ONLY the required params: - client_id - logout_uri So, in your case: - client_id: The App Client ID from Cognito (no secret) - logout_uri: The URL where the user should be redirected after logout The updated code clears localStorage, resets auth state, and then redirects the user to the correct logout URL to fully end the session on Cognito's side. *Note:* If you're using social logins (like Google/Facebook), Cognito won't fully log the user out from those providers, the user may still appear "logged in" on return unless you handle federated logout separately. For testing, Incognito mode can help confirm if the logout is really working, since cookies and cache can interfere in regular tabs. — Reply to this email directly, view it on GitHub <#249 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACUMUVTDGVQNYZQRJVQPWOD3I7UHNAVCNFSM6AAAAACBYM77ZKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTAOBVGA2TANJUGU> . You are receiving this because you authored the thread.Message ID: ***@***.*** .com>

[theRizwan]

Hi @adrfinance , thanks for trying that!

To help troubleshoot further, can you please share your current AWS Cognito configuration, specifically the following:

1. App Client Settings (under "App client settings" in the Cognito User Pool console):

   • What is set for the Sign-in redirect URI?
   • What is set for the Sign-out redirect URI?
   • Are you using the Authorization code grant or Implicit grant?

2. Are you using any federated identity providers (like Google, Facebook, etc.)? If so, Cognito won’t fully sign out from those providers by default, and a separate logout from the IdP may be needed.

3. Are you seeing any cookies still present in the browser after hitting the logout URL? You can check using your browser’s DevTools (under Application → Cookies).

Also, for testing, try the logout flow in Incognito mode to ensure there's no cached session interfering.

Let me know, and we can dig deeper from there!

[adrfinance]

Thank you! Just a quick question (and will answer your questions later) - will this work is the sign in redirect and the sign out redirect uris are the same?

…

On Thu, Jul 17, 2025, 22:37 Rizwan Saleem ***@***.***> wrote: *theRizwan* left a comment (aws-samples/amazon-cognito-passwordless-auth#249) <#249 (comment)> Hi @adrfinance <https://github.com/adrfinance> , thanks for trying that! To help troubleshoot further, can you please share your current AWS Cognito configuration, specifically the following: 1. *App Client Settings* (under "App client settings" in the Cognito User Pool console): - What is set for the *Sign-in redirect URI*? - What is set for the *Sign-out redirect URI*? - Are you using the *Authorization code grant* or *Implicit grant*? 2. Are you using any *federated identity providers* (like Google, Facebook, etc.)? If so, Cognito won’t fully sign out from those providers by default, and a separate logout from the IdP may be needed. 3. Are you seeing any cookies still present in the browser after hitting the logout URL? You can check using your browser’s DevTools (under Application → Cookies). Also, for testing, try the logout flow in *Incognito mode* to ensure there's no cached session interfering. Let me know, and we can dig deeper from there! — Reply to this email directly, view it on GitHub <#249 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACUMUVSEU2AMJNUTIDY7CUL3I73OXAVCNFSM6AAAAACBYM77ZKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTAOBVGI2TEMBVGI> . You are receiving this because you were mentioned.Message ID: ***@***.*** .com>

[theRizwan]

Yes, it’s totally valid for the Sign-in redirect URI and the Sign-out redirect URI to be the same as long as:

• That URL is registered in both the Sign-in and Sign-out redirect URIs in your Cognito App Client settings.
• Your app knows how to handle both cases e.g., detect whether the user is returning from login or logout and respond accordingly.

For example, many apps redirect back to the same homepage or /auth/callback route after both login and logout. Just make sure your app handles those scenarios correctly.

Let me know once you get a chance to share the rest of your configuration details, happy to help you get this resolved!

[ottokruse]

Thanks for chiming in @theRizwan

@adrfinance is this question for this repository, it doesn't look like you use the code from this repository?

[adrfinance]

Allowed callback URLs multiple pages appear here, among which is https://dash.website.ai Allowed sign-out URLs multiple pages appear here, among which is https://dash.website.ai OAuth grant types Authorization code grant 2. Using Google Oauth but not sure it has anything to do with AWS Cognito 3. I am seeing the following cookies: AWSALBAuthNonce, AWSELBAuthSessionCookie-0, AWSELBAuthSessionCookie-1 4. When I try with incognito, it still keeps the previous user as logged in via AWS Cognito

…

On Thu, Jul 17, 2025 at 10:37 PM Rizwan Saleem ***@***.***> wrote: *theRizwan* left a comment (aws-samples/amazon-cognito-passwordless-auth#249) <#249 (comment)> Hi @adrfinance <https://github.com/adrfinance> , thanks for trying that! To help troubleshoot further, can you please share your current AWS Cognito configuration, specifically the following: 1. *App Client Settings* (under "App client settings" in the Cognito User Pool console): - What is set for the *Sign-in redirect URI*? - What is set for the *Sign-out redirect URI*? - Are you using the *Authorization code grant* or *Implicit grant*? 2. Are you using any *federated identity providers* (like Google, Facebook, etc.)? If so, Cognito won’t fully sign out from those providers by default, and a separate logout from the IdP may be needed. 3. Are you seeing any cookies still present in the browser after hitting the logout URL? You can check using your browser’s DevTools (under Application → Cookies). Also, for testing, try the logout flow in *Incognito mode* to ensure there's no cached session interfering. Let me know, and we can dig deeper from there! — Reply to this email directly, view it on GitHub <#249 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACUMUVSEU2AMJNUTIDY7CUL3I73OXAVCNFSM6AAAAACBYM77ZKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTAOBVGI2TEMBVGI> . You are receiving this because you were mentioned.Message ID: ***@***.*** .com>

[adrfinance]

Hi Otto, Sorry I was trying to find a solution to my issues because I am stuck. Maybe I posted it in the wrong place

…

On Fri, Jul 18, 2025 at 10:16 AM Otto Kruse ***@***.***> wrote: *ottokruse* left a comment (aws-samples/amazon-cognito-passwordless-auth#249) <#249 (comment)> Thanks for chiming in @theRizwan <https://github.com/theRizwan> @adrfinance <https://github.com/adrfinance> is this question for this repository, it doesn't look like you use the code from this repository? — Reply to this email directly, view it on GitHub <#249 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACUMUVV7ATE74GGGZOXQU633JCNMXAVCNFSM6AAAAACBYM77ZKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTAOBXGYZDONRVGY> . You are receiving this because you were mentioned.Message ID: ***@***.*** .com>

[adrfinance]

Rizwan, could the fact that I am using ALB be causing these issues/problems with the logout/login?

…

On Thu, Jul 17, 2025 at 10:52 PM Rizwan Saleem ***@***.***> wrote: *theRizwan* left a comment (aws-samples/amazon-cognito-passwordless-auth#249) <#249 (comment)> Yes, it’s totally valid for the Sign-in redirect URI and the Sign-out redirect URI to be the same as long as: - That URL is registered in both the Sign-in and Sign-out redirect URIs in your Cognito App Client settings. - Your app knows how to handle both cases e.g., detect whether the user is returning from login or logout and respond accordingly. For example, many apps redirect back to the same homepage or /auth/callback route after both login and logout. Just make sure your app handles those scenarios correctly. Let me know once you get a chance to share the rest of your configuration details, happy to help you get this resolved! — Reply to this email directly, view it on GitHub <#249 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACUMUVV22OG3IP7B5IVUUSL3I75GPAVCNFSM6AAAAACBYM77ZKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTAOBVGI4DMMRSGA> . You are receiving this because you were mentioned.Message ID: ***@***.*** .com>