search

amazon-archives / amazon-cognito-auth-js

The Amazon Cognito Auth SDK for JavaScript simplifies adding sign-up, sign-in with user profile functionality to web apps.
Apache License 2.0
423 stars 232 forks source link

how to set state parameter in the callback URL? #44

Closed goldenbearkin closed 6 years ago

goldenbearkin commented 6 years ago

I have a SPA and would like to pass back the route information so that user can redirect to the route where they intend to access before undergo authentication.

I found from the aws documentation http://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html saying i can pass the state value back to the client:

and i tried this but didn't work

{
  ClientId: '*************************',
  AppWebDomain: '***********.auth.ap-northeast-1.amazoncognito.com',
  TokenScopesArray: ['email openid profile'],
  RedirectUriSignIn: `https://*****/cognitocallback?STATE=dashboard`,
  RedirectUriSignOut: `https://*****`
}

i can find auth.getSession() the only api to sign-in user. Please suggest how to do it for this library? Many thanks

*I am sorry that i asked the same question before but got closed immediately.

jonasao commented 6 years ago

In this version, the state parameter is set automatically within the CognitoAuth class. Setting the state parameter the way you have attempted makes the RedirectUriSignIn corrupt, due to the fact that it is being URL-encoded along with the STATE parameter when making the request to the AWS endpoint.

yuntuowang commented 6 years ago

@jonasao is correct.

yuntuowang commented 6 years ago

What @jonasao mentioned is correct, apart from that, if @goldenbearkin have a specific use case and need to set a "state" parameter to store some info when redirecting between different pages, could you describe your use case in more details? We can see if we can help from our side.

davepacifico commented 6 years ago

So the primary use-case is as @goldenbearkin said - to redirect the user back to the original url they requested. Basically, you can do something like Base64 encode a string which includes both a nonce and the original url the user requested (say /posts/5) and then when authentication succeeds and the built-in Cognito login UI redirects to your static redirect url (perhaps /login), you can decode the state parameter and redirect the user to /posts/5 as they originally requested.

From my perspective that is a pretty critical user experience. It's what I was doing when I was using amazon-cognito-identity-js directly, but I have found this library to be very useful other than that one (relatively major) issue. I'm hoping I can manage to work around it rather than bail on the library entirely. Suggestions are welcome.

We really just need a hook into the generation of the state parameter. It seems to me like the current approach of just generating a random string adds no value because it isn't subsequently checked after login. It we could generate our own state parameter, we could do whatever we wanted with it after the redirect back to our app.

mymattcarroll commented 6 years ago

I would suggest storing the url your user is attempting to go to in local storage before directing to the hosted login screen. After login and redirection back to generic callback screen, pull the desired url back out of local storage and redirect to it.