Update :
My project has one web app that handles authentication that we can call Auth Web App that will run on its own server in the domain login.example.com. This project will have a second web app that shows user data in User Web App and it will run on its own server in the domain app.example.com.
I can successfully authenticate a user in Auth Web App with AWS Amplify Cognito, persist the JWT Token in a cookie, and redirect the user to User Web App.
As my question states, I am trying to figure out how to sign a user out. I imagine the flow would be the following and I am stuck on step 3. I am stuck on this step because I'd imagine Auth Web App does not know who just got redirected to it.
Auth.signOut()Any guidance would be greatly appreciated!
Usually the point with JWT in general is that your Authentication part generates JWT with limited (usually 1 hour) validity and other applications just verifies it without contacting Authentication part.
That implies the Authentication part is not present in any part of the logic beside logging in, therefore you cannot "sign out" there.
The logging out is done by removing the tokens in the client application.
If the app has any kind of Refresh Token, such token can (and should) be removed from Authentication part first, before removing it from client app. The point is - if you are able to use refresh token, you are able to authenticate (and authorize) yourself. In same way you should authenticate yourself, just instead of generating new JWT access token, the refresh token is deleted from Authentication part.