Comments (3)
rpattcorner
commented on July 19, 2024
Leaving this open in hopes of gathering some more general information on debugging the lambdas and the apparent absence of logs under some conditions. But may have found a specific resolution.
There seems to be some chance that unwanted cookie persistence is involved here -- and in a development and testing environment you get a lot of those. I've recently cleared the Cognito Identity id token, which resolves the problem in at least one case. Details in #95
from cloudfront-authorization-at-edge.
ottokruse
commented on July 19, 2024
You captured the signout chain correctly. Allow me to add more detail to a few things:
- App or user hits the /signout URL
- Cloudfront intercepts and invokes the lambda@edge function configured for the /signout behaviour
- That lambda@edge function returns a response to the user's browser that (1) clears the cookies, nuking the auth tokens, (2) redirects to the Cognito sign-out URL, so the user is also signed out from Cognito (see below) and (3) includes in the URL query parameters a "logout_uri"
- Cognito signs the user out, validates that the "logout_uri" matches one of the configured ones for the App Client, and redirects to this logout_uri (which can be the root of the Auth@Edge app, which would trigger sign-in again)
About signing out from Cognito
You need to do this for 2 reasons:
- You need to void the refresh token at Cognito so it can no longer be used to acquire new ID and Access tokens with
- If you sign-in successfully through the Cognito hosted UI, it remembers you signed in there for a while (1 hour from the top of my head) and will sign you in again without asking for credentials in that hour. So if you want to sign out you should tell Cognito to sign you out (so that Cognito will ask your credentials again next time)
About accessing Lambda@Edge logs
This is different from "normal" Lambda. Assuming a lambda with the name "abc" it would normally write to log group "/aws/lambda/abc" in the same region as the Lambda -- but this is not so for Lambda@Edge. So for Lambda@Edge, the link in the Lambda UI that takes you to the log group would actually always show you "The specified log group does not exist" ––as you've found.
For Lambda@Edge the log group will be in the region where the Lambda@Edge function was executed (which can be any region on the Globe), and will have a name like so: /aws/lambda/us-east-1.abc
The easiest way to locate the right log group and the right region, is to use the CloudFront monitoring dashboard (https://console.aws.amazon.com/cloudfront/v2/home#/monitoring) and navigate to the lambda function logs in the right region, from there.
Hope that helps.
from cloudfront-authorization-at-edge.
rpattcorner
commented on July 19, 2024
@ottokruse Many thanks for this! Great to get some clarity on the logs and the signout chain
from cloudfront-authorization-at-edge.
Related Issues (20)
- CloudFormation did not receive a response from your Custom Resource HOT 19
- Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”) HOT 2
- Refresh issue after token expires HOT 8
- On signout Required String parameter 'redirect_uri' is not present HOT 5
- Possible Open Redirect (CWE-601) in sample code HOT 2
- nonce cookies are not expired HOT 1
- [Feature request] Support multiple Cognito user pool clients HOT 4
- custom domain is not redirecting to cognito hosted ui HOT 1
- Getting blocked by CORS policy but unable to figure out the source HOT 5
- Node version bump HOT 7
- Custom IDP with Amplify and Auth at Edge HOT 9
- Fail on delete of the stack HOT 3
- Function must be in an Active state error on deploying the solution HOT 7
- Errors from Lambda when destroiyng the stack HOT 2
- Cognito TAGS HOT 1
- How Do I add User Pool attributes to Cookies? HOT 1
- A potential risk in cloudfront-authorization-at-edge which can be used to upload malicious code. HOT 4
- Having the ability to tune logs HOT 1
- Deployment to eu-west-2 fails with error: Encountered a permissions error performing a tagging operation HOT 4
- Missing User-Agent header in Post request to cognito HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cloudfront-authorization-at-edge.