-
Notifications
You must be signed in to change notification settings - Fork 16
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Docs: adds allow sign-out URL step to Cognito #1138
Conversation
✅ Deploy Preview for pomerium-docs ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
|
||
Add the special Pomerium sign-out URL to Cognito's **Allowed sign-out URLs** list: | ||
|
||
`https://{AUTHENTICATE_DOMAIN}/.pomerium/signed-out` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this should really be signed_out
, with an underscore rather than a hyphen.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@kenjenkins were you able to confirm that signed_out
is correct?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's signed_out
in the handler endpoint code here: https://github.com/pomerium/pomerium/blob/c84a251c933dd674211d0a96605e56abcb63fde1/authenticate/handlers.go#L91.
Denis has updated it in in his pending changelog PR as well: pomerium/pomerium@4dd8859.
@@ -85,6 +85,14 @@ If you need to make changes after creating your pool, be aware that some setting | |||
|
|||
You can choose whether to use your own **Domain Name**, or use an AWS-provided one. The AWS-provided domain names are in the format `https://${DOMAIN-PREFIX}.auth.${AWS-REGION}.amazoncognito.com` | |||
|
|||
### Configure allowed sign-out URLs |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, one other question: would it make more sense for this to be included in the table with the other client settings (in step 3)? It seems similar to the "Callback URL(s)" setting. (Note: I haven't actually seen the Cognito settings page, so I don't actually know what order these settings appear in there.)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@kenjenkins I thought that would've been a good place for the URL as well, but like you I haven't been able to see the settings page. I referenced @wasaga 's screenshot in https://github.com/pomerium/pomerium-zero/issues/1385. I think this would be the cleaner option, though.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I created my own AWS account and tried to go through the process of setting up a user pool in Cognito. Here's a screenshot from what I think is the relevant settings page:
![Screen Shot 2024-01-08 at 1 48 25 PM](https://private-user-images.githubusercontent.com/51246568/295044409-c9764f1a-db11-40a0-970d-1d57e089e838.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjEzNTMxMDYsIm5iZiI6MTcyMTM1MjgwNiwicGF0aCI6Ii81MTI0NjU2OC8yOTUwNDQ0MDktYzk3NjRmMWEtZGIxMS00MGEwLTk3MGQtMWQ1N2UwODllODM4LnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MTklMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzE5VDAxMzMyNlomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWVlMGE0MjI4OTBhYjY1OGZlYTUxZDQ5NWRkZDIxYjQ1OTdmYWFjODM3YjU3N2U0YWNmMDEzMzdjMzY4NDQzMDAmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.G0f3fM2wsopRmj3FFVp-v_t64PujKGgeCrY1mcEKebg)
Based on that screenshot, I think it would make sense to put 'Allowed sign-out URLs' right after the 'Allowed callback URLs' row (line 78 above).
It looks like some of the other settings have been renamed ('OAuth 2.0 grant types' instead of 'Allowed OAuth Flows' and 'OpenID Connect scopes' instead of 'Allowed OAuth Scopes'). I'll file a separate issue for that.
@kenjenkins I'm aware there is some inconsistency with our example URLs in this guide. We can address that in the Cognito refresh ticket. For now, I just want to add this documentation for v0.25. |
Co-authored-by: Kenneth Jenkins <[email protected]>
Fixes #1134