Merge 94a0bc348525e9469404809344e40b9339b42413 into 0a3aaeafe7bef9d6935422f4b91c77c216c01b21

routers/web/auth/oauth.go

@@ -539,7 +539,15 @@ func buildOIDCEndSessionURL(ctx *context.Context, doer *user_model.User) string
 	// https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout
 	params := endSessionURL.Query()
 	params.Set("client_id", oauth2Cfg.ClientID)
-	params.Set("post_logout_redirect_uri", httplib.GuessCurrentAppURL(ctx))
+
+	// AWS Cognito uses "logout_uri" instead of the standard "post_logout_redirect_uri"
+	redirectURI := httplib.GuessCurrentAppURL(ctx)
+	if oauth2Cfg.Provider == "cognito" {
+		params.Set("logout_uri", redirectURI)
+	} else {
+		params.Set("post_logout_redirect_uri", redirectURI)
+	}
+
 	endSessionURL.RawQuery = params.Encode()
 	return endSessionURL.String()
 }

services/auth/source/oauth2/providers_cognito.go

@@ -0,0 +1,25 @@
+// Copyright 2025 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package oauth2
+
+// CognitoProvider is a GothProvider for AWS Cognito (based on OpenID Connect)
+type CognitoProvider struct {
+	OpenIDProvider
+}
+
+// Name provides the technical name for this provider
+func (c *CognitoProvider) Name() string {
+	return "cognito"
+}
+
+// DisplayName returns the friendly name for this provider
+func (c *CognitoProvider) DisplayName() string {
+	return "AWS Cognito"
+}
+
+var _ GothProvider = &CognitoProvider{}
+
+func init() {
+	RegisterGothProvider(&CognitoProvider{})
+}

web_src/js/features/admin/common.ts

@@ -86,6 +86,7 @@ function initAdminAuthentication() {
     const provider = document.querySelector<HTMLInputElement>('#oauth2_provider')!.value;
     switch (provider) {
       case 'openidConnect':
+      case 'cognito':
         document.querySelector<HTMLInputElement>('.open_id_connect_auto_discovery_url input')!.setAttribute('required', 'required');
         showElem('.open_id_connect_auto_discovery_url');
         showElem('.open_id_connect_external_id_claim');