Amplify-js: User can sign in automatically even after signing out from the app and social IdP layer (Google)

Hi @leosoaivan

This is expected behavior of a federated sign in.

This SO answer might be useful to understand the details:

https://stackoverflow.com/a/12909563/194974

(Specially the When you logout of your app, you're logging out of your app: part)

Edit:

In your case, logging out from Google is not logging you out from Cognito, so the tokens present in your app might still be valid with Cognito

@manueliglesias Thanks for the quick reply.

I did come across that SO post after making the issue, so I figured there wouldn't be any user-friendly solution.

My main concern is with security, especially if a user were to access my app on a public computer or walk away. Would revoking all tokens via Auth.signOut({ global: true }) help with this?

@manueliglesias I gave more thought to the issue to better explain what I'm seeing.

Indeed, logging out of Google will not log me out of Cognito. However, after logging out of Google and my app, I expect that a federated sign-in process on my app would ask me to re-authenticate against Google's authentication servers, thereby forcing me to manually sign in again. In fact, this is the behavior I'm seeing when using the hosted UI.

Bypassing the hosted UI doesn't do this, and it seems like a bug. I am still able to log back into my app by bypassing the hosted UI, even after signing out everywhere, clearing data/local storage, and closing the browser.

Apparently fixed by upgrading aws-amplify-react to 3.1.5.

Logging out of Google accounts now lead to a re-authentication request with Google's servers when attempting to sign in with a Google account from my app.

Re-opening, because I'm still seeing the issue described in my 1/22/2020 comment https://github.com/aws-amplify/amplify-js/issues/4720#issuecomment-577464777.

@leosoaivan check out my comment here please.

@xai1983kbu I've figured out my particular issue, at last. In my case, we were not properly handling the promise returned by Auth.signOut().

Again, this was causing an issue where even if a user signed out of their Google account, they would be able to sign in automatically into our Amplify app after signing out. By properly handling the promise, users signed out of their Google accounts AND our app are now asked to re-authenticate against Google's servers.

@leosoaivan sorry, misunderstood your needs.

@leosoaivan
what did you do to properly handle the promise returned by Auth.signOut()? Could you provide more information? Thanks

I updated Amplify to 3.0.17 but Auth.signOut doesn't seem to return anything. However, Auth.signIn(email, pw) does return a cognitoUser.
I used Hub.listen and in both signIn and signOut, the hub receives a CognitoUser as data.

@manueliglesias

User can sign in automatically even after signing out    
from the app and social IdP layer

Do you know how I can resolve this issue?

Note that the question is NOT about signing out from app should sign out from social IdP such as Google.

The situation is user signing out from social IdP AND also from the app. After that, the user can log in automatically by using federatedSignIn via Amplify without requiring social IdP login again.

@leosoaivan
It seems that Cognito hosted UI behaves the same. Instead of showing signIn UI, hosted UI only shows Continue with Google and Sign in as a different user. If I click Continue with Google, it wouldn't prompt me to login via social IdP again even though I am not logged in with social IdP at that moment. It would just redirect to my landing page directly.

@Jun711 As I mentioned above, Auth.signOut() returns a promise that needs to be properly resolved, either with await or then/catch.

Our problem was we were doing a lot of logic on our logout, like so:

Auth.signOut();
/** Other logic **/

We switched to the following, which somehow resolved our issue:

Auth.signOut()
  .then(() => {
    /** Other logic **/
})
  .catch(() => {
    /** Catch logic **/
})

Hope this helps.

@leosoaivan
I see. Thanks for the reply.
Mine is already with then/catch and I printed out the response from the promise and it was undefined.
Even though mine is already then/catch, the issue User can sign in automatically even after signing out from the app and social IdP layer (Google) still happens.
same with the hosted UI, could you please double check your hosted ui?

I am using "@aws-amplify/auth": "^3.2.13"

Auth.signOut()
  .then(res => {
    console.log('res ', res) // would be undefined
    /** Other logic **/
})
  .catch(() => {
    /** Catch logic **/
})

@manueliglesias Hi, This issue is still occuring for my react native app.

I don't have any hosted UI, I am using the federate sign in.

Here is my issue

• My user signin using google acc for firs time. He get to select an account.
• My user logout from app and want to sign in with another account. He can't, aws auto log in the user with prevs credentials.
• My user logout from both app and logout from google account in his browser. He still can't choose new google acc, aws auto log in him again.
• The only way to let the user to choose back a google acc is to, clear the browser data. Which is not a proper solution.

Will appreciate if you can help with this issue.

@aibrahim3546 Did you find a solution yet?