search

amazon-archives / amazon-cognito-auth-js

The Amazon Cognito Auth SDK for JavaScript simplifies adding sign-up, sign-in with user profile functionality to web apps.
Apache License 2.0
423 stars 232 forks source link

how to add parameters in callback url #58

Closed xingzhougmu closed 6 years ago

xingzhougmu commented 6 years ago

44

@jonasao @yuntuowang

Hi,

I am trying to migrate our current OAuth2 server to AWS Cognito, but encounter the following issue.

When my app request authorisation code, it will add some parameters to the callback url. Let's say the callback url like:

https://open.bot.tmall.com/oauth/callback?skillid=123&token=456

Then the authorization endpoint will be:

https://mydomain.auth.us-east-1.amazoncognito.com/oauth2/authorize?
response_type=code&
client_id=ad398u21ijw3s9w3939&
redirect_uri=https://open.bot.tmall.com/oauth/callback?skillid=123&token=456&
state=STATE&
scope=openid+profile+aws.cognito.signin.user.admin

This will not work as the url is not valid with two question marks. So our app will encode the redirect url. and the authorization endpoint will be:

https://mydomain.auth.us-east-1.amazoncognito.com/oauth2/authorize?
response_type=code&
client_id=ad398u21ijw3s9w3939&
redirect_uri=https%3A%2F%2Fopen.bot.tmall.com%2Foauth%2Fcallback%3Fskillid%3D123%26token%3D456&
state=STATE&
scope=openid+profile+aws.cognito.signin.user.admin

Then comes my question: how to set the callback url in AWS Management portal?

jonasao commented 6 years ago

The callback URL is set in your AWS Cognito userpool, under App Integration - > App client settings.

vlekakis commented 6 years ago

Here's an example of the callback URI https://test1215.auth.us-east-1.amazoncognito.com/signup?response_type=token&redirect_uri=https://www.google.com/search%3Fq%3DAMZN%26oq%3DAMZN&client_id=18qvegl9q8cp779pa7fjqqpljn

xingzhougmu commented 6 years ago

@vlekakis Thanks for your reply. In your example, should I put "https://www.google.com/search?q=AMZN&oq=AMZN" as the callback url in the position as @jonasao mentioned?

However, my case is more complicated with the following two points:

  1. the parameter value is dynamic, not fixed.
  2. the whole redirect url is url-encoded.

So, what should I set in App Integration -> App client settings??

yuntuowang commented 6 years ago

Hi @xingzhougmu , for the example which @vlekakis mentioned, you can put "https://www.google.com/search%3Fq%3DAMZN%26oq%3DAMZN" or "https://www.google.com/search?q=AMZN&oq=AMZN" as the callback url in the position as @jonasao mentioned.

yuntuowang commented 6 years ago

@xingzhougmu And your case, you can see more details here. https://github.com/aws/amazon-cognito-auth-js/issues/44

We will mark this as a feature request and will discuss in our meetings. Will post on this issue once we have any new status. Thanks!

goldenbearkin commented 6 years ago

I think the best way is to allow to modify the STATE parameter. In my use case, I would like to redirect the user to the path which he/she originally landed on (you don't know where the user will land beforehand). In this case, I need to modify the STATE parameter to embed the path information before kicking off the getSession(), the STATE parameters will then be sent back through RedirectUriSignIn and I can extract the path information and do my own logic.

Beside storing 'state' in the STATE parameter, it is also used to prevent the CSRF attack. By looking at the source code, I don't see this library provide any CSRF protection out of the box.

yuntuowang commented 6 years ago

Hi @goldenbearkin, I agree with you. We just released the support for developer modifying the STATE parameter. Please check the newest version 1.1.2.