Skip to content

feat(oauth): Support AWS Cognito OAuth2 provider #37607

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
bircni merged 10 commits into from
May 16, 2026
+31 −1
Merged

feat(oauth): Support AWS Cognito OAuth2 provider #37607

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
b825d8f
Added support for AWS Cognito OAuth2 provider
May 8, 2026
ec87f2a
Merge branch 'main' into cognito-sso-support
thatguyfig May 8, 2026
94a0bc3
refactored to reduce duplication
May 8, 2026
b314fc9
use const
wxiaoguang May 10, 2026
8dc71e8
Moved cognito provider into custom providers
May 11, 2026
abc0201
Merge branch 'main' into cognito-sso-support
thatguyfig May 11, 2026
9df5db3
Merge branch 'main' into cognito-sso-support
wxiaoguang May 15, 2026
fbfc637
Merge branch 'main' into cognito-sso-support
bircni May 16, 2026
3c212c0
Merge branch 'main' into cognito-sso-support
GiteaBot May 16, 2026
2272006
Merge branch 'main' into cognito-sso-support
GiteaBot May 16, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 9 additions & 1 deletion routers/web/auth/oauth.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -561,7 +561,15 @@ func buildOIDCEndSessionURL(ctx *context.Context, doer *user_model.User) string
// https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout
params := endSessionURL.Query()
params.Set("client_id", oauth2Cfg.ClientID)
params.Set("post_logout_redirect_uri", httplib.GuessCurrentAppURL(ctx))

// AWS Cognito uses "logout_uri" instead of the standard "post_logout_redirect_uri"
redirectURI := httplib.GuessCurrentAppURL(ctx)
if oauth2Cfg.Provider == oauth2.ProviderNameAwsCognito {
params.Set("logout_uri", redirectURI)
} else {
params.Set("post_logout_redirect_uri", redirectURI)
}

endSessionURL.RawQuery = params.Encode()
return endSessionURL.String()
}
21 changes: 21 additions & 0 deletions services/auth/source/oauth2/providers_custom.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -120,4 +120,25 @@ func init() {
}), nil
},
))

RegisterGothProvider(&AwsCognitoProvider{})
}

const ProviderNameAwsCognito = "aws-cognito"

// AwsCognitoProvider is a GothProvider for AWS Cognito (based on OpenID Connect)
type AwsCognitoProvider struct {
OpenIDProvider
}

// Name provides the technical name for this provider
func (c *AwsCognitoProvider) Name() string {
return ProviderNameAwsCognito
}

// DisplayName returns the friendly name for this provider
func (c *AwsCognitoProvider) DisplayName() string {
return "AWS Cognito"
}

var _ GothProvider = &AwsCognitoProvider{}
1 change: 1 addition & 0 deletions web_src/js/features/admin/common.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,7 @@ function initAdminAuthentication() {
const provider = document.querySelector<HTMLInputElement>('#oauth2_provider')!.value;
switch (provider) {
case 'openidConnect':
case 'aws-cognito':
document.querySelector<HTMLInputElement>('.open_id_connect_auto_discovery_url input')!.setAttribute('required', 'required');
showElem('.open_id_connect_auto_discovery_url');
showElem('.open_id_connect_external_id_claim');
Expand Down