Can't logout from Cognito

I’m running a jupyterhub using AWS Cognito for authentication. I set it up using a helm chart as follows:

config:
  JupyterHub:
    authenticator_class: generic-oauth
  OAuthenticator:
    oauth_callback_url: https://<mydomain>/hub/oauth_callback
    client_id: <myappclientid>
    client_secret: <myappclientsecret>
    allow_all: True
  GenericOAuthenticator:
    admin_users:
      - admin_dev
    login_service: AWS Cognito
    username_claim: username
    authorize_url: https://<myappclient>.auth.us-east-2.amazoncognito.com/oauth2/authorize
    token_url: https://<myappclient>.auth.us-east-2.amazoncognito.com/oauth2/token
    userdata_url: https://<myappclient>.auth.us-east-2.amazoncognito.com/oauth2/userInfo

When I go to my domain, it presents a button “Sign in with AWS Cognito”. This redirects me to a form at https://<myappclient>.auth.us-east-2.amazoncognito.com/login to enter my cognito username and password, and it returns to https://<mydomain>/user/<username> and I’m good to go. Great! I click log out, it returns me to the jupyter hub landing page, showing the “Sign in with AWS Cognito” button. If I click that button, it takes me directly into https://<mydomain>/user/<username> using the previously used username, it doesn’t need me to authenticate again, or give me the option to log in as a different user. I have to manually clear cookies in my browser before I can try again. I thought logging out should take care of this already. What am I missing, how can I make this happen?

P.S. Accessing the jupyterhub in Edge and in Firefox, usually using a private window.

Logging out of an oauth application and logging out of the oauth provider are typically two separate actions (e.g. I wouldn’t expect logging out of HackMD to log me out of GitHub, and clicking ‘Sign in via GitHub’ on HackMD only goes through redirects on GitHub with no confirmation steps if I’ve authorized it previously, just like JupyterHub).

But if you’ve deployed an oauth provider specifically for JupyterHub, then it makes sense to view the two things as linked and logout of them together.

You can set logout_redirect_url to redirect to another page after logging out of JupyterHub. I think the value for AWS Cognito would be:

GenericOAuthenticator:
  logout_redirect_url: "https://<myappclient>.auth.us-east-2.amazoncognito.com/logout?client_id=..."

Thank you, this is just what I needed!

A short note if anyone else encounters this, since cognito reported that a redirect_uri was missing, I also needed to add &logout_uri=https://<mydomain>/ to the end of that line and as an “allowed sign-out url” in the app client to please cognito.