I think this should really be signed_out, with an underscore rather than a hyphen.

@kenjenkins were you able to confirm that signed_out is correct?

It's signed_out in the handler endpoint code here: https://github.com/pomerium/pomerium/blob/c84a251c933dd674211d0a96605e56abcb63fde1/authenticate/handlers.go#L91.

Denis has updated it in in his pending changelog PR as well: pomerium/pomerium@4dd8859.

Sorry, one other question: would it make more sense for this to be included in the table with the other client settings (in step 3)? It seems similar to the "Callback URL(s)" setting. (Note: I haven't actually seen the Cognito settings page, so I don't actually know what order these settings appear in there.)

@kenjenkins I thought that would've been a good place for the URL as well, but like you I haven't been able to see the settings page. I referenced @wasaga 's screenshot in https://github.com/pomerium/pomerium-zero/issues/1385. I think this would be the cleaner option, though.

I created my own AWS account and tried to go through the process of setting up a user pool in Cognito. Here's a screenshot from what I think is the relevant settings page:

Based on that screenshot, I think it would make sense to put 'Allowed sign-out URLs' right after the 'Allowed callback URLs' row (line 78 above).

It looks like some of the other settings have been renamed ('OAuth 2.0 grant types' instead of 'Allowed OAuth Flows' and 'OpenID Connect scopes' instead of 'Allowed OAuth Scopes'). I'll file a separate issue for that.