globalSignOut (with accessToken) in CognitoIdentityProviderClient is looking for IAM auth data

[nilyin]

Describe the bug

Hi, I am trying to make graceful logout for Cognito userPool user with existing auth session using the code below:

CognitoIdentityProviderClient cognitoClient = CognitoIdentityProviderClient.builder()
                .region(Region.of( "eu-central-1"))
                .credentialsProvider(DefaultCredentialsProvider.create())
                .build();

        try {
            GlobalSignOutRequest logoutRequest = GlobalSignOutRequest.builder()
                    .accessToken(sessionManager.getProperty("accessToken"))     // set existing auth token
                    .build();

           // calling the globalSignOut method on the client to log out the user
            GlobalSignOutResponse logoutResponse = cognitoClient.globalSignOut(logoutRequest);
            return 0;
        } catch (NotAuthorizedException e) {
            return output.handleCommandException(e, "Unable to logout because your session is not valid: " + e.getMessage());
        } catch (Exception e) {
            return output.handleCommandException(e, "Unable to logout gracefully due to some error: " + e.getMessage());
        }

Expected Behavior

I am expecting to catch the case when an accessToken has already expired to notify a user
I expect that the provided accessToken is used and only that, without trying to find other credentials in the system

Current Behavior

I currently receive multiple error messages:

2023-06-07 23:07:53,310 DEBUG [sof.ama.aws.cor.int.ExecutionInterceptorChain] (Quarkus Main Thread) Interceptor 'software.amazon.awssdk.services.cognitoidentityprovider.endpoints.internal.CognitoIdentityProviderEndpointAuthSchemeInterceptor@7721a9ae' modified the message with its modifyRequest method.
2023-06-07 23:07:53,319 DEBUG [sof.ama.aws.aut.cre.AwsCredentialsProviderChain] (Quarkus Main Thread) Unable to load credentials from SystemPropertyCredentialsProvider(): Unable to load credentials from system settings. Access key must be specified either via environment variable (AWS_ACCESS_KEY_ID) or system property (aws.accessKeyId).: software.amazon.awssdk.core.exception.SdkClientException: Unable to load credentials from system settings. Access key must be specified either via environment variable (AWS_ACCESS_KEY_ID) or system property (aws.accessKeyId).
        at software.amazon.awssdk.core.exception.SdkClientException$BuilderImpl.build(SdkClientException.java:111)
        at software.amazon.awssdk.auth.credentials.internal.SystemSettingsCredentialsProvider.resolveCredentials(SystemSettingsCredentialsProvider.java:58)
        at software.amazon.awssdk.auth.credentials.AwsCredentialsProviderChain.resolveCredentials(AwsCredentialsProviderChain.java:96)
        at software.amazon.awssdk.auth.credentials.internal.LazyAwsCredentialsProvider.resolveCredentials(LazyAwsCredentialsProvider.java:45)
        at software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider.resolveCredentials(DefaultCredentialsProvider.java:128)
        at software.amazon.awssdk.core.internal.util.MetricUtils.measureDuration(MetricUtils.java:50)
        at software.amazon.awssdk.awscore.internal.authcontext.AwsCredentialsAuthorizationStrategy.resolveCredentials(AwsCredentialsAuthorizationStrategy.java:100)
        at software.amazon.awssdk.awscore.internal.authcontext.AwsCredentialsAuthorizationStrategy.addCredentialsToExecutionAttributes(AwsCredentialsAuthorizationStrategy.java:77)
        at software.amazon.awssdk.awscore.internal.AwsExecutionContextBuilder.invokeInterceptorsAndCreateExecutionContext(AwsExecutionContextBuilder.java:123)
        at software.amazon.awssdk.awscore.client.handler.AwsSyncClientHandler.invokeInterceptorsAndCreateExecutionContext(AwsSyncClientHandler.java:69)
        at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.lambda$execute$1(BaseSyncClientHandler.java:78)
        at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.measureApiCallSuccess(BaseSyncClientHandler.java:179)
        at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.execute(BaseSyncClientHandler.java:76)
        at software.amazon.awssdk.core.client.handler.SdkSyncClientHandler.execute(SdkSyncClientHandler.java:45)
        at software.amazon.awssdk.awscore.client.handler.AwsSyncClientHandler.execute(AwsSyncClientHandler.java:56)
        at software.amazon.awssdk.services.cognitoidentityprovider.DefaultCognitoIdentityProviderClient.globalSignOut(DefaultCognitoIdentityProviderClient.java:5399)
        at me.peerf.LogoutCommand.call(LogoutCommand.java:106)

which is followed by:

2023-06-07 23:07:53,347 DEBUG [sof.ama.aws.aut.cre.AwsCredentialsProviderChain] (Quarkus Main Thread) Unable to load credentials from ProfileCredentialsProvider(profileName=default, profileFile=ProfileFile(profilesAndSectionsMap=[])): Profile file contained no credentials for profile 'default': ProfileFile(profilesAndSectionsMap=[]): software.amazon.awssdk.core.exception.SdkClientException: Profile file contained no credentials for profile 'default': ProfileFile(profilesAndSectionsMap=[])
        at software.amazon.awssdk.core.exception.SdkClientException$BuilderImpl.build(SdkClientException.java:111)
        at software.amazon.awssdk.auth.credentials.ProfileCredentialsProvider.lambda$createCredentialsProvider$2(ProfileCredentialsProvider.java:173)
        at java.base/java.util.Optional.orElseThrow(Optional.java:408)
        at software.amazon.awssdk.auth.credentials.ProfileCredentialsProvider.createCredentialsProvider(ProfileCredentialsProvider.java:170)
        at software.amazon.awssdk.auth.credentials.ProfileCredentialsProvider.handleProfileFileReload(ProfileCredentialsProvider.java:135)
        at software.amazon.awssdk.auth.credentials.ProfileCredentialsProvider.resolveCredentials(ProfileCredentialsProvider.java:126)
        at software.amazon.awssdk.auth.credentials.AwsCredentialsProviderChain.resolveCredentials(AwsCredentialsProviderChain.java:96)
        at software.amazon.awssdk.auth.credentials.internal.LazyAwsCredentialsProvider.resolveCredentials(LazyAwsCredentialsProvider.java:45)
        at software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider.resolveCredentials(DefaultCredentialsProvider.java:128)
        at software.amazon.awssdk.core.internal.util.MetricUtils.measureDuration(MetricUtils.java:50)
        at software.amazon.awssdk.awscore.internal.authcontext.AwsCredentialsAuthorizationStrategy.resolveCredentials(AwsCredentialsAuthorizationStrategy.java:100)
        at software.amazon.awssdk.awscore.internal.authcontext.AwsCredentialsAuthorizationStrategy.addCredentialsToExecutionAttributes(AwsCredentialsAuthorizationStrategy.java:77)
        at software.amazon.awssdk.awscore.internal.AwsExecutionContextBuilder.invokeInterceptorsAndCreateExecutionContext(AwsExecutionContextBuilder.java:123)
        at software.amazon.awssdk.awscore.client.handler.AwsSyncClientHandler.invokeInterceptorsAndCreateExecutionContext(AwsSyncClientHandler.java:69)
        at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.lambda$execute$1(BaseSyncClientHandler.java:78)
        at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.measureApiCallSuccess(BaseSyncClientHandler.java:179)
        at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.execute(BaseSyncClientHandler.java:76)
        at software.amazon.awssdk.core.client.handler.SdkSyncClientHandler.execute(SdkSyncClientHandler.java:45)
        at software.amazon.awssdk.awscore.client.handler.AwsSyncClientHandler.execute(AwsSyncClientHandler.java:56)
        at software.amazon.awssdk.services.cognitoidentityprovider.DefaultCognitoIdentityProviderClient.globalSignOut(DefaultCognitoIdentityProviderClient.java:5399)
        at me.peerf.LogoutCommand.call(LogoutCommand.java:106)

it looks like the SDK client is trying to load IAM credentials instead of userPool' ones..

Reproduction Steps

just repeat the given piece of code

Possible Solution

not found

Additional Information/Context

I am using quarkus 2.16.6.Final

AWS Java SDK version used

2.20.74

JDK version used

11.0.2 2019-01-15 LTS

Operating System and version

MACOS 13.4 (22F66)

[martinKindall]

I think the SDK client must load IAM credentials with at least the permission to be able to do the GlobalSignOut on users.
This is a policy example, maybe other permissions are also necessary but this could be a starting point

 {
      "Version": "2012-10-17",
      "Statement": [
	      {
		      "Sid": "VisualEditor0",
		      "Effect": "Allow",
		      "Action": "cognito-idp:GlobalSignOut",
		      "Resource": "*"
	      }
      ]
  }

[nilyin]

Hi, Cognito UserPool users are able to self-register (sign-up) and then login (password) when needed (with initiateAuth through cognitoClient). These users, IMHO, have no IAM access credentials. But it is obvious that they should have possibility to force logout their auth session at anytime (Amplify JS SDK has Sign-Out method for it). I thought that I should use GlobalSignOut method in AWS Java 2 SDK, but if it requires IAM credentials, it is not what I need.

Is there any other API method to implement UserPool users self-logout (sign-out) to kill current auth session (make its accessToken not valid anymore). At that. I expect this method to return error if the specified current session/accessToken has already expired to notify client app users.

[debora-ito]

@nilyin I don't think GlobalSignOut is what you're looking for either. Looking through the Cognito Dev Guide, I think you need to Add sign-out flow to the identity provider -
https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managing-saml-idp-console.html

Choose Add sign-out flow if you want Amazon Cognito to send signed sign-out requests to your provider when a user logs out. You must configure your SAML 2.0 IdP to send sign-out responses to the https://<your Amazon Cognito domain>/saml2/logout endpoint that is created when you configure the hosted UI. The saml2/logout endpoint uses POST binding.

but I'm not 100% sure, I'm not familiar with Cognito and this is mostly a service question...

If the sign-out flow is not what you need, let us know and I'll see if I can reach out to the Cognito team.

[debora-ito]

I'm also moving this to Github discussion, because it's not really a bug.

[nilyin]

@debora-ito hi, I don't think that SAML (3rd party auth IdP) is acceptable in my use case. My backend is fully based on Amplify (Cognito+AppSync), it means my users are Cognito UserPool users, fully managed by Cognito auth service without need of additional external SAML service. Amplify provides client SDK for web/js and mobile apps (Android/iOS) which has UserPool user self sign-up, sign-in and sign-out API. But for Java client application I have to use AWS Java 2 SDK for Cognito.

In my case the users are created in Amplify (actually in Cognito UserPool) through my web portal sign-up. I have successfully made existing user sign-in from my Java client app and received the accessToken for further AWS AppSync/S3 requests, but can't find API to sign-out the user and disable the previously received accessToken.

Could you please consult with Cognito team for advice (or sample code) on how can I accomplish UserPool' user self sign-off.

[nilyin]

Hi, after studying this documentation link below it looks like globalSignOut method should do exactly what I need:

https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/services/cognitoidentityprovider/CognitoIdentityProviderClient.html#globalSignOut(software.amazon.awssdk.services.cognitoidentityprovider.model.GlobalSignOutRequest)

but it doesn't. I'll try to debug it deeper.