bug: Cognito OIDC config JSON is missing end_session_endpoint #12914
Description
Is there an existing issue for this?
- I have searched the existing issues
Current Behavior
The OIDC configuration JSON served on /.well-known/openid-configuration is missing the end_session_endpoint
The real AWS Cognito includes the end_session_endpoint.
Expected Behavior
When the OIDC config endpoint is served it should look like this (include the end_session_endpoint)
{
"authorization_endpoint": "https://dev-ltfly.auth.ap-southeast-2.amazoncognito.com/oauth2/authorize",
"end_session_endpoint": "https://dev-ltfly.auth.ap-southeast-2.amazoncognito.com/logout",
"id_token_signing_alg_values_supported": [
"RS256"
],
"issuer": "https://cognito-idp.ap-southeast-2.amazonaws.com/ap-southeast-2_dEIHPN1JG",
"jwks_uri": "https://cognito-idp.ap-southeast-2.amazonaws.com/ap-southeast-2_dEIHPN1JG/.well-known/jwks.json",
"response_types_supported": [
"code",
"token"
],
"revocation_endpoint": "https://dev-ltfly.auth.ap-southeast-2.amazoncognito.com/oauth2/revoke",
"scopes_supported": [
"openid",
"email",
"phone",
"profile"
],
"subject_types_supported": [
"public"
],
"token_endpoint": "https://dev-ltfly.auth.ap-southeast-2.amazoncognito.com/oauth2/token",
"token_endpoint_auth_methods_supported": [
"client_secret_basic",
"client_secret_post"
],
"userinfo_endpoint": "https://dev-ltfly.auth.ap-southeast-2.amazoncognito.com/oauth2/userInfo"
}
How are you starting LocalStack?
With a docker-compose file
Steps To Reproduce
How are you starting localstack (e.g., bin/localstack command, arguments, or docker-compose.yml)
localstack start
Client commands (e.g., AWS SDK code snippet, or sequence of "awslocal" commands)
aws --region us-east-1 --endpoint-url http://localhost:4566 cognito-idp create-user-pool \
--pool-name OidcLogoutEndpointReproPool
curl http://localhost:4566/{{user_pool_id_from_step_1}}/.well-known/openid-configuration
Response looks like this:
"authorization_endpoint": "http://localhost.localstack.cloud:4566/_aws/cognito-idp/oauth2/authorize",
"id_token_signing_alg_values_supported": [
"RS256"
],
"issuer": "http://localhost.localstack.cloud:4566/us-east-1_769d6b5de7f04cb994aa34d194d153e8",
"jwks_uri": "http://localhost.localstack.cloud:4566/us-east-1_769d6b5de7f04cb994aa34d194d153e8/.well-known/jwks.json",
"response_types_supported": [
"code",
"token",
"token id_token"
],
"scopes_supported": [
"openid",
"email",
"phone",
"profile"
],
"subject_types_supported": [
"public"
],
"token_endpoint": "http://localhost.localstack.cloud:4566/_aws/cognito-idp/oauth2/token",
"token_endpoint_auth_methods_supported": [
"client_secret_basic",
"client_secret_post"
],
"userinfo_endpoint": "http://localhost.localstack.cloud:4566/_aws/cognito-idp/oauth2/userInfo"
}
Environment
- OS: OSX 15.5
- LocalStack:
LocalStack version: 4.6.1.dev60
LocalStack Docker image sha: sha256:47c7bc236fa439ed67f7430d70098d35e0f43200fae0d115883eb691a21155de
LocalStack build date: 2025-07-25
LocalStack build git hash: dccda1093Anything else?
Perhaps this is expected behaviour? But I am reading in this thread that there should be a /logout endpoint and I would expect this to be the end_session_endpoint ?