From b825d8f9d0d37ee683b7cc097b3c0a4e0bfafcf8 Mon Sep 17 00:00:00 2001
From: Tom Thornton <tom.thornton@sony.com>
Date: Fri, 8 May 2026 17:22:49 +0100
Subject: [PATCH 1/2] Added support for AWS Cognito OAuth2 provider

---
 routers/web/auth/oauth.go                     | 10 ++-
 .../auth/source/oauth2/providers_cognito.go   | 68 +++++++++++++++++++
 web_src/js/features/admin/common.ts           |  1 +
 3 files changed, 78 insertions(+), 1 deletion(-)
 create mode 100644 services/auth/source/oauth2/providers_cognito.go

diff --git a/routers/web/auth/oauth.go b/routers/web/auth/oauth.go
index 8645aedbde..ef122629d9 100644
--- a/routers/web/auth/oauth.go
+++ b/routers/web/auth/oauth.go
@@ -539,7 +539,15 @@ func buildOIDCEndSessionURL(ctx *context.Context, doer *user_model.User) string
 	// https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout
 	params := endSessionURL.Query()
 	params.Set("client_id", oauth2Cfg.ClientID)
-	params.Set("post_logout_redirect_uri", httplib.GuessCurrentAppURL(ctx))
+
+	// AWS Cognito uses "logout_uri" instead of the standard "post_logout_redirect_uri"
+	redirectURI := httplib.GuessCurrentAppURL(ctx)
+	if oauth2Cfg.Provider == "cognito" {
+		params.Set("logout_uri", redirectURI)
+	} else {
+		params.Set("post_logout_redirect_uri", redirectURI)
+	}
+
 	endSessionURL.RawQuery = params.Encode()
 	return endSessionURL.String()
 }
diff --git a/services/auth/source/oauth2/providers_cognito.go b/services/auth/source/oauth2/providers_cognito.go
new file mode 100644
index 0000000000..ed499e093f
--- /dev/null
+++ b/services/auth/source/oauth2/providers_cognito.go
@@ -0,0 +1,68 @@
+// Copyright 2025 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package oauth2
+
+import (
+	"html/template"
+
+	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/svg"
+
+	"github.com/markbates/goth"
+	"github.com/markbates/goth/providers/openidConnect"
+)
+
+// CognitoProvider is a GothProvider for AWS Cognito
+type CognitoProvider struct{}
+
+func (c *CognitoProvider) SupportSSHPublicKey() bool {
+	return true
+}
+
+// Name provides the technical name for this provider
+func (c *CognitoProvider) Name() string {
+	return "cognito"
+}
+
+// DisplayName returns the friendly name for this provider
+func (c *CognitoProvider) DisplayName() string {
+	return "AWS Cognito"
+}
+
+// IconHTML returns icon HTML for this provider
+func (c *CognitoProvider) IconHTML(size int) template.HTML {
+	return svg.RenderHTML("gitea-openid", size)
+}
+
+// CreateGothProvider creates a GothProvider from this Provider
+func (c *CognitoProvider) CreateGothProvider(providerName, callbackURL string, source *Source) (goth.Provider, error) {
+	scopes := setting.OAuth2Client.OpenIDConnectScopes
+	if len(scopes) == 0 {
+		scopes = append(scopes, source.Scopes...)
+	}
+
+	provider, err := openidConnect.New(source.ClientID, source.ClientSecret, callbackURL, source.OpenIDConnectAutoDiscoveryURL, scopes...)
+	if err != nil {
+		log.Warn("Failed to create AWS Cognito Provider with name '%s' with url '%s': %v", providerName, source.OpenIDConnectAutoDiscoveryURL, err)
+		return nil, err
+	}
+	if source.ExternalIDClaim != "" {
+		// UserIdClaims is a fallback list; goth returns the first non-empty matching claim.
+		// A single entry is sufficient because the admin explicitly chooses one claim (e.g. "sub" for Cognito).
+		provider.UserIdClaims = []string{source.ExternalIDClaim}
+	}
+	return provider, nil
+}
+
+// CustomURLSettings returns the custom url settings for this provider
+func (c *CognitoProvider) CustomURLSettings() *CustomURLSettings {
+	return nil
+}
+
+var _ GothProvider = &CognitoProvider{}
+
+func init() {
+	RegisterGothProvider(&CognitoProvider{})
+}
diff --git a/web_src/js/features/admin/common.ts b/web_src/js/features/admin/common.ts
index f0c0f5bee6..734c7915e0 100644
--- a/web_src/js/features/admin/common.ts
+++ b/web_src/js/features/admin/common.ts
@@ -86,6 +86,7 @@ function initAdminAuthentication() {
     const provider = document.querySelector<HTMLInputElement>('#oauth2_provider')!.value;
     switch (provider) {
       case 'openidConnect':
+      case 'cognito':
         document.querySelector<HTMLInputElement>('.open_id_connect_auto_discovery_url input')!.setAttribute('required', 'required');
         showElem('.open_id_connect_auto_discovery_url');
         showElem('.open_id_connect_external_id_claim');

From 94a0bc348525e9469404809344e40b9339b42413 Mon Sep 17 00:00:00 2001
From: Tom Thornton <tom.thornton@sony.com>
Date: Fri, 8 May 2026 17:46:37 +0100
Subject: [PATCH 2/2] refactored to reduce duplication

---
 .../auth/source/oauth2/providers_cognito.go   | 49 ++-----------------
 1 file changed, 3 insertions(+), 46 deletions(-)

diff --git a/services/auth/source/oauth2/providers_cognito.go b/services/auth/source/oauth2/providers_cognito.go
index ed499e093f..5b064ce979 100644
--- a/services/auth/source/oauth2/providers_cognito.go
+++ b/services/auth/source/oauth2/providers_cognito.go
@@ -3,22 +3,9 @@
 
 package oauth2
 
-import (
-	"html/template"
-
-	"code.gitea.io/gitea/modules/log"
-	"code.gitea.io/gitea/modules/setting"
-	"code.gitea.io/gitea/modules/svg"
-
-	"github.com/markbates/goth"
-	"github.com/markbates/goth/providers/openidConnect"
-)
-
-// CognitoProvider is a GothProvider for AWS Cognito
-type CognitoProvider struct{}
-
-func (c *CognitoProvider) SupportSSHPublicKey() bool {
-	return true
+// CognitoProvider is a GothProvider for AWS Cognito (based on OpenID Connect)
+type CognitoProvider struct {
+	OpenIDProvider
 }
 
 // Name provides the technical name for this provider
@@ -31,36 +18,6 @@ func (c *CognitoProvider) DisplayName() string {
 	return "AWS Cognito"
 }
 
-// IconHTML returns icon HTML for this provider
-func (c *CognitoProvider) IconHTML(size int) template.HTML {
-	return svg.RenderHTML("gitea-openid", size)
-}
-
-// CreateGothProvider creates a GothProvider from this Provider
-func (c *CognitoProvider) CreateGothProvider(providerName, callbackURL string, source *Source) (goth.Provider, error) {
-	scopes := setting.OAuth2Client.OpenIDConnectScopes
-	if len(scopes) == 0 {
-		scopes = append(scopes, source.Scopes...)
-	}
-
-	provider, err := openidConnect.New(source.ClientID, source.ClientSecret, callbackURL, source.OpenIDConnectAutoDiscoveryURL, scopes...)
-	if err != nil {
-		log.Warn("Failed to create AWS Cognito Provider with name '%s' with url '%s': %v", providerName, source.OpenIDConnectAutoDiscoveryURL, err)
-		return nil, err
-	}
-	if source.ExternalIDClaim != "" {
-		// UserIdClaims is a fallback list; goth returns the first non-empty matching claim.
-		// A single entry is sufficient because the admin explicitly chooses one claim (e.g. "sub" for Cognito).
-		provider.UserIdClaims = []string{source.ExternalIDClaim}
-	}
-	return provider, nil
-}
-
-// CustomURLSettings returns the custom url settings for this provider
-func (c *CognitoProvider) CustomURLSettings() *CustomURLSettings {
-	return nil
-}
-
 var _ GothProvider = &CognitoProvider{}
 
 func init() {