React SPA - Unable to properly logout

[ETFairfax]

Hello,

I've a simple app with the copy/paste code from the installation instructions with some additions.

I am able to click Sign. Doing so redirects my to OIDC Sign In screen, I fill in credentials, then I am redirected back to my React SPA and my access token is available. All good so far👍

However, clicking Sign Out I am redirected to OP /logout. If I then navigate back to the React SPA, when I click Sign In I am automatically signed in without being asked for credentials. How is that so?

I've cleared all application storage and it still seems to know who I am? The only way I get to the login screen, is if I open an Incognito tab.

My Sign Out button has the following handler:

const handleSignOut = async () => {
    await auth.signoutRedirect({
      extraQueryParams: {
        client_id: oidcConfig.client_id,
        redirect_uri: 'http://localhost:4200',
        response_type: 'code'
      }
    });
    await auth.removeUser();
  };

const oidcConfig: AuthProviderProps = {
  authority: 'https://cognito-idp.region-xyz-1.amazonaws.com/my-pool-id',
  client_id: 'xyz',
  redirect_uri: 'http://localhost:4200', // Redirect URL must match cognitos App client > Hosted UI > Allowed callback URLs
  onSigninCallback,
  // https://github.com/authts/oidc-client-ts/blob/main/docs/index.md#provider-specific-settings
  // no revoke of "access token" (https://github.com/authts/oidc-client-ts/issues/262)
  revokeTokenTypes: ['refresh_token'],
  // no silent renew via "prompt=none" (https://github.com/authts/oidc-client-ts/issues/366)
  automaticSilentRenew: false
};

Any ideas?

Edit: Could this be the issue? https://stackoverflow.com/questions/49309928/cant-destroy-aws-cognito-session-from-within-react-application

[pamapa]

However, clicking Sign Out I am redirected to OP /logout. If I then navigate back to the React SPA, when I click Sign In I am automatically signed in without being asked for credentials. How is that so?

Is there a session cookie placed by cognito-idp?

[ETFairfax]

However, clicking Sign Out I am redirected to OP /logout. If I then navigate back to the React SPA, when I click Sign In I am automatically signed in without being asked for credentials. How is that so?

Is there a session cookie placed by cognito-idp?

Looks like /oauth2/idpresponse does set a cognito cookie

...but how would that take effect if I clear all cookies (via dev tools)?

[ryanhsmfc]

@ETFairfax

i just came and using this library today, maybe late reply but this is what i find with aws cognito

maybe for anyone who find same problem

first i put this config as usual:

notes my region is sydney,

const oidcConfig: AuthProviderProps = {
  authority: "https://cognito-idp.ap-southeast-2.amazonaws.com/ap-southeast-2_xxxxxxx",
  client_id: "5nxxxxxxxxxxxxxxm",
  redirect_uri: "http://localhost:3000/login"
}

this is for logout function

export function useAuthSignoutRedirect() {
  const auth = useAuth()

  return () =>
    auth.signoutRedirect({
      // aws cognito extras
      extraQueryParams: {
        client_id,
        logout_uri: "http://localhost:3000/logout"
      },
    })
}