Enable sign-out
Invoke the signOut
api to sign out a user from the Auth category. You can only have one user signed in at a given time. Calling signOut without any options will delete the local cache and keychain of the user and revoke the token if enabled on Amazon Cognito User Pools. If you would like to sign out of all devices, invoke the signOut api with advanced options.
Amplify.Auth.signOut( signOutResult -> { if (signOutResult instanceof AWSCognitoAuthSignOutResult.CompleteSignOut) { // Sign Out completed fully and without errors. Log.i("AuthQuickStart", "Signed out successfully"); } else if (signOutResult instanceof AWSCognitoAuthSignOutResult.PartialSignOut) { // Sign Out completed with some errors. User is signed out of the device. AWSCognitoAuthSignOutResult.PartialSignOut partialSignOutResult = (AWSCognitoAuthSignOutResult.PartialSignOut) signOutResult;
HostedUIError hostedUIError = partialSignOutResult.getHostedUIError(); if (hostedUIError != null) { Log.e("AuthQuickStart", "HostedUI Error", hostedUIError.getException()); // Optional: Re-launch hostedUIError.getUrl() in a Custom tab to clear Cognito web session. }
GlobalSignOutError globalSignOutError = partialSignOutResult.getGlobalSignOutError(); if (globalSignOutError != null) { Log.e("AuthQuickStart", "GlobalSignOut Error", globalSignOutError.getException()); // Optional: Use escape hatch to retry revocation of globalSignOutError.getAccessToken(). }
RevokeTokenError revokeTokenError = partialSignOutResult.getRevokeTokenError(); if (revokeTokenError != null) { Log.e("AuthQuickStart", "RevokeToken Error", revokeTokenError.getException()); // Optional: Use escape hatch to retry revocation of revokeTokenError.getRefreshToken(). } } else if (signOutResult instanceof AWSCognitoAuthSignOutResult.FailedSignOut) { AWSCognitoAuthSignOutResult.FailedSignOut failedSignOutResult = (AWSCognitoAuthSignOutResult.FailedSignOut) signOutResult; // Sign Out failed with an exception, leaving the user signed in. Log.e("AuthQuickStart", "Sign out Failed", failedSignOutResult.getException()); }});
Amplify.Auth.signOut { signOutResult -> when(signOutResult) { is AWSCognitoAuthSignOutResult.CompleteSignOut -> { // Sign Out completed fully and without errors. Log.i("AuthQuickStart", "Signed out successfully") } is AWSCognitoAuthSignOutResult.PartialSignOut -> { // Sign Out completed with some errors. User is signed out of the device. signOutResult.hostedUIError?.let { Log.e("AuthQuickStart", "HostedUI Error", it.exception) // Optional: Re-launch it.url in a Custom tab to clear Cognito web session.
} signOutResult.globalSignOutError?.let { Log.e("AuthQuickStart", "GlobalSignOut Error", it.exception) // Optional: Use escape hatch to retry revocation of it.accessToken. } signOutResult.revokeTokenError?.let { Log.e("AuthQuickStart", "RevokeToken Error", it.exception) // Optional: Use escape hatch to retry revocation of it.refreshToken. } } is AWSCognitoAuthSignOutResult.FailedSignOut -> { // Sign Out failed with an exception, leaving the user signed in. Log.e("AuthQuickStart", "Sign out Failed", signOutResult.exception) } }}
val signOutResult = Amplify.Auth.signOut()when(signOutResult) { is AWSCognitoAuthSignOutResult.CompleteSignOut -> { // Sign Out completed fully and without errors. Log.i("AuthQuickStart", "Signed out successfully") } is AWSCognitoAuthSignOutResult.PartialSignOut -> { // Sign Out completed with some errors. User is signed out of the device. signOutResult.hostedUIError?.let { Log.e("AuthQuickStart", "HostedUI Error", it.exception) // Optional: Re-launch it.url in a Custom tab to clear Cognito web session.
} signOutResult.globalSignOutError?.let { Log.e("AuthQuickStart", "GlobalSignOut Error", it.exception) // Optional: Use escape hatch to retry revocation of it.accessToken. } signOutResult.revokeTokenError?.let { Log.e("AuthQuickStart", "RevokeToken Error", it.exception) // Optional: Use escape hatch to retry revocation of it.refreshToken. } } is AWSCognitoAuthSignOutResult.FailedSignOut -> { // Sign Out failed with an exception, leaving the user signed in. Log.e("AuthQuickStart", "Sign out Failed", signOutResult.exception) }}
RxAmplify.Auth.signOut() .subscribe(signOutResult -> { if (signOutResult instanceof AWSCognitoAuthSignOutResult.CompleteSignOut) { // Sign Out completed fully and without errors. Log.i("AuthQuickStart", "Signed out successfully"); } else if (signOutResult instanceof AWSCognitoAuthSignOutResult.PartialSignOut) { // Sign Out completed with some errors. User is signed out of the device. AWSCognitoAuthSignOutResult.PartialSignOut partialSignOutResult = (AWSCognitoAuthSignOutResult.PartialSignOut) signOutResult;
HostedUIError hostedUIError = partialSignOutResult.getHostedUIError(); if (hostedUIError != null) { Log.e("AuthQuickStart", "HostedUI Error", hostedUIError.getException()); // Optional: Re-launch hostedUIError.getUrl() in a Custom tab to clear Cognito web session. }
GlobalSignOutError globalSignOutError = partialSignOutResult.getGlobalSignOutError(); if (globalSignOutError != null) { Log.e("AuthQuickStart", "GlobalSignOut Error", globalSignOutError.getException()); // Optional: Use escape hatch to retry revocation of globalSignOutError.getAccessToken(). }
RevokeTokenError revokeTokenError = partialSignOutResult.getRevokeTokenError(); if (revokeTokenError != null) { Log.e("AuthQuickStart", "RevokeToken Error", revokeTokenError.getException()); // Optional: Use escape hatch to retry revocation of revokeTokenError.getRefreshToken(). } } else if (signOutResult instanceof AWSCognitoAuthSignOutResult.FailedSignOut) { AWSCognitoAuthSignOutResult.FailedSignOut failedSignOutResult = (AWSCognitoAuthSignOutResult.FailedSignOut) signOutResult; // Sign Out failed with an exception, leaving the user signed in. Log.e("AuthQuickStart", "Sign out Failed", failedSignOutResult.getException()); } });
Sign Out Result Types
CompleteSignOut
Indicates a successful sign out with no errors.
PartialSignOut
Indicates that sign out was completed, but with errors.
The device credentials have been cleared and the user is locally signed out of the device.
The PartialSignOut
class will return 1 or more errors where sign out actions can be retried manually.
GlobalSignOutError
- The GlobalSignOut action failed.error
: AGlobalSignOutException
that provides a message and recovery suggestion for the failure.accessToken
: The access token that was unable to be revoked. The Escape Hatch can be used to manually retry the global sign out.
RevokeTokenError
- The RevokeToken action failed.error
: ARevokeTokenException
that provides a message and recovery suggestion for the failure.refreshToken
: The refresh token that was unable to be revoked. The Escape Hatch can be used to manually retry revoking the token.
HostedUIError
- The HostedUI sign out action failed.error
: AHostedUISignOutException
that provides a message and recovery suggestion for the failure.url
: The url that was used to attempt the Cognito web session sign out in the CustomTab.
FailedSignOut
Indicates a failed sign out where user credentials remain on the device.
See the attached AuthException to determine the cause.
The most likely exception is a UserCancelledException
where the user cancelled a HostedUI Sign Out before the redirect was received.
Token Revocation
Amazon Cognito now supports token revocation. This means that the Cognito refresh token cannot be used anymore to generate new Access and Id Tokens.
Access and Id Tokens are short-lived (60 minutes by default but can be set from 5 minutes to 1 day). After revocation, these tokens cannot be used with Cognito User Pools anymore. However, they are still valid when used with other services like AppSync or API Gateway.
For limiting subsequent calls to these other services after invalidating tokens, we recommend lowering token expiration time for your app client in the Cognito User Pools console. If you are using the Amplify CLI this can be accessed by running amplify console auth
.
Token revocation is enabled automatically on new Amazon Cognito User Pools, however existing User Pools must enable this feature, using the Cognito Console or AWS CLI.
Global Sign Out
Calling signout with globalSignOut = true
will invalidate all the Cognito User Pool tokens of the signed in user. If the user is signed into a device, they won't be authorized to perform a task that requires a valid token when a global signout is called from some other device. They need to sign in again to get valid tokens.
AuthSignOutOptions options = AuthSignOutOptions.builder() .globalSignOut(true) .build();
Amplify.Auth.signOut(options, signOutResult -> { if (signOutResult instanceof AWSCognitoAuthSignOutResult.CompleteSignOut) { // handle successful sign out } else if (signOutResult instanceof AWSCognitoAuthSignOutResult.PartialSignOut) { // handle partial sign out } else if (signOutResult instanceof AWSCognitoAuthSignOutResult.FailedSignOut) { // handle failed sign out }});
val options = AuthSignOutOptions.builder() .globalSignOut(true) .build()
Amplify.Auth.signOut(options) { signOutResult -> when(signOutResult) { is AWSCognitoAuthSignOutResult.CompleteSignOut -> { // handle successful sign out } is AWSCognitoAuthSignOutResult.PartialSignOut -> { // handle partial sign out } is AWSCognitoAuthSignOutResult.FailedSignOut -> { // handle failed sign out } }}
val options = AuthSignOutOptions.builder() .globalSignOut(true) .build()
val signOutResult = Amplify.Auth.signOut(options)
when(signOutResult) { is AWSCognitoAuthSignOutResult.CompleteSignOut -> { // handle successful sign out } is AWSCognitoAuthSignOutResult.PartialSignOut -> { // handle partial sign out } is AWSCognitoAuthSignOutResult.FailedSignOut -> { // handle failed sign out }}
AuthSignOutOptions options = AuthSignOutOptions.builder() .globalSignOut(true) .build(); RxAmplify.Auth.signOut(options) .subscribe(signOutResult -> { if (signOutResult instanceof AWSCognitoAuthSignOutResult.CompleteSignOut) { // handle successful sign out } else if (signOutResult instanceof AWSCognitoAuthSignOutResult.PartialSignOut) { // handle partial sign out } else if (signOutResult instanceof AWSCognitoAuthSignOutResult.FailedSignOut) { // handle failed sign out } });