Open HappyMakadiyaS opened 1 year ago
Hey @HappyMakadiyaS :wave: thanks for raising this! This seems similar to https://github.com/aws-amplify/amplify-cli/issues/11495, and as a workaround can you try running back through amplify update auth
to re-input your social providers' credentials?
Additionally, without posting the contents, can you verify ~/.aws/amplify/deployment-secrets.json
contains the proper social provider config for this Amplify project?
potential duplicate of #9183, can you see if this comment helps resolve your issue? https://github.com/aws-amplify/amplify-cli/issues/9183#issuecomment-1297651792
note the error is different from "Internal Server Error" when the private key for SIWA is invalid https://github.com/aws-amplify/amplify-cli/issues/9478#issuecomment-1009285200
@josefaidt, I have done amplify update auth
multiple times with the same credentials and tried to push. And it stores proper config in ~/.aws/amplify/deployment-secrets.json
.
I am facing an Internal server error
as I have said.
{
"Status": "FAILED",
"Reason": "See the details in CloudWatch Log Stream: ******",
"PhysicalResourceId": "2022/12/02/[$LATEST]*****",
"StackId": "****",
"RequestId": "755******",
"LogicalResourceId": "HostedUIProvidersCustomResourceInputs",
"NoEcho": false,
"Data": {
"err": {
"message": "Internal server error.",
"code": "InternalErrorException",
"time": "2022-12-02T10:12:13.234Z",
"requestId": "dbc******",
"statusCode": 500,
"retryable": true
}
}
}
Got the same issue here. Revert to previous CLI version don't solve the issue.
I have configured Sign in with apple via the Cognito user pool console and configured it successfully. Then I checked in amplify studio and Sign in with apple is not there. amplify pull
is also not fetching the config.
Another thing: If I try to add Sign in with apple via Amplify Studio, then it throws the same error HostedUIProvidersCustomResourceInputs (Custom::LambdaCallout)
and logs which I have mentioned above.
If I'll link the already created user pool to the new amplify app then all goods well. So I think the problem occurs when Auth is added via CLI using amplify add auth
.
Hey @HappyMakadiyaS would you mind sending us the project ID output from amplify diagnose --send-report
? May you also post the contents of your auth resource's cli-inputs.json
?
Hey @HappyMakadiyaS would you mind sending us the project ID output from
amplify diagnose --send-report
? May you also post the contents of your auth resource'scli-inputs.json
?
Mine if that helps 325445a2b82c24b5ad93ee4df1c519e9
where we talk about places
Your email verification code is {####}.
Don't share this code with anyone else, but share amazing chatrooms you found on tap!
", "defaultPasswordPolicy": false, "passwordPolicyMinLength": 8, "passwordPolicyCharacters": [], "requiredAttributes": [ "email" ], "aliasAttributes": [], "userpoolClientGenerateSecret": false, "userpoolClientRefreshTokenValidity": 30, "userpoolClientWriteAttributes": [ "email" ], "userpoolClientReadAttributes": [ "email", "family_name", "gender", "locale", "given_name", "email_verified" ], "userpoolClientLambdaRole": "Locati018ce4de_userpoolclient_lambda_role", "userpoolClientSetAttributes": true, "authSelections": "identityPoolAndUserPool", "resourceName": "TapApp", "serviceName": "Cognito", "useDefault": "manual", "sharedId": "018ce4de", "userPoolGroupList": [ "everyone" ], "userPoolGroups": true, "usernameAttributes": [ "email" ], "usernameCaseSensitive": false, "adminQueries": false, "hostedUI": true, "authRoleArn": { "Fn::GetAtt": [ "AuthRole", "Arn" ] }, "unauthRoleArn": { "Fn::GetAtt": [ "UnauthRole", "Arn" ] }, "breakCircularDependency": false, "useEnabledMfas": false, "dependsOn": [ { "category": "function", "resourceName": "TapAppPostConfirmation", "triggerProvider": "Cognito", "attributes": [ "Arn", "Name" ] } ], "triggers": { "PostConfirmation": [ "add-to-group" ] }, "parentStack": { "Ref": "AWS::StackId" }, "authTriggerConnections": [ "{\"triggerType\":\"PostConfirmation\",\"lambdaFunctionName\":\"TapAppPostConfirmation\"}" ], "permissions": [ "{\n \"policyName\": \"AddToGroupCognito\",\n \"trigger\": \"PostConfirmation\",\n \"effect\": \"Allow\",\n \"actions\": [\n \"cognito-idp:AdminAddUserToGroup\",\n \"cognito-idp:GetGroup\",\n \"cognito-idp:CreateGroup\"\n ],\n \"resource\": {\n \"paramType\": \"!GetAtt\",\n \"keys\": [\n \"UserPool\",\n \"Arn\"\n ]\n }\n}" ], "hostedUIDomainName": "tapapp3ff22423-3ff22423", "authProvidersUserPool": [ "SignInWithApple" ], "hostedUIProviderMeta": "[{\"ProviderName\":\"SignInWithApple\",\"authorize_scopes\":\"email\",\"AttributeMapping\":{\"email\":\"email\"}}]", "authProviders": [ "appleid.apple.com" ], "signinwithappleAuthorizeScopes": [ "email" ], "oAuthSecretsPathAmplifyAppId": "d2qkbb2n3c556e", "thirdPartyAuth": true, "oAuthMetadata": "{\"AllowedOAuthFlows\":[\"code\"],\"AllowedOAuthScopes\":[\"phone\",\"email\",\"openid\",\"profile\",\"aws.cognito.signin.user.admin\"],\"CallbackURLs\":[\"com.TapApp://\"],\"LogoutURLs\":[\"com.TapApp://\"]}" } } ```My error on the cli
Deployment failed.
Deploying root stack TapApp [ ====------------------------------------ ] 2/20
amplify-tapapp-develop-195658 AWS::CloudFormation::Stack UPDATE_ROLLBACK_COMPLETE Wed Dec 07 2022 22:29:17…
functionTapAppPostConfirmation AWS::CloudFormation::Stack UPDATE_COMPLETE Wed Dec 07 2022 22:21:42…
authTapApp AWS::CloudFormation::Stack UPDATE_FAILED Wed Dec 07 2022 22:21:28…
Deploying auth TapApp [ ---------------------------------------- ] 0/25
HostedUIProvidersCustomResour… Custom::LambdaCallout UPDATE_FAILED Wed Dec 07 2022 22:21:20…
HostedUICustomResourceInputs Custom::LambdaCallout UPDATE_FAILED Wed Dec 07 2022 22:21:20…
Deploying auth userPoolGroups [ ---------------------------------------- ] 0/6
🛑 The following resources failed to deploy:
Resource Name: HostedUIProvidersCustomResourceInputs (Custom::LambdaCallout)
Event Type: update
Reason: Received response status [FAILED] from custom resource. Message returned: See the details in CloudWatch Log Stream: 2022/12/08/[$LATEST]6412bed6939a4dd6926dd0eb5aa58beb (RequestId: 3cd61139-324b-4825-9159-6a4d3c92c271)
URL: https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/arn%3Aaws%3Acloudformation%3Aus-east-1%3A969017758831%3Astack%2Famplify-tapapp-develop-195658-authTapApp-1VSLUWFWZA0B8%2F0d8818c0-8ec4-11ec-97a1-0a1b8104e20f/events
🛑 Resource is not in the state stackUpdateComplete
Learn more at: https://docs.amplify.aws/cli/project/troubleshooting/
Session Identifier: 9b02aa8d-181a-44e6-9fb8-9b5e0df4026c
amplify diagnose --send-report
Hey @josefaidt, Created new auth via amplify add auth
to reproduce the issue.
I have personally shared the report with you. you might have received the invitation link. https://drive.google.com/file/d/19GXfYaPSi2d6eFoybtMD9BwwKzabwduS/view?usp=sharing
Hey folks thanks for posting that information it was certainly helpful, although I am unable to reproduce this issue. I've marked this as "investigating" and "pending-review" as I am taking a deeper look. In the meantime are you seeing any additional logs from the Lamdbda callout's output? The stack trace is helpful, however there are a few Cognito requests in this Lambda callout.
Thus far I have attempted to add SIWA on the initial creation, after update of a default social resource, update of a default social resource with one social provider, among several attempted updates of an existing resource after miscellaneous updates to no avail.
possible duplicate of https://github.com/aws-amplify/amplify-cli/issues/10952
@josefaidt I'm able to resolve my issue, when I go to my /aws/lambda/amplify-tapapp-develop-19-HostedUIProvidersCustomR-szswNLPP2izF
in CloudWatch I found an error log
2022-12-11T02:11:46.293Z ccb0cf7b-740a-4c2c-9c3c-3469b062af02 INFO Response body:
{"Status":"FAILED","Reason":"See the details in CloudWatch Log Stream: 2022/12/11/[$LATEST]7a220c662d4342b0941210d9752ade00","PhysicalResourceId":"2022/12/11/[$LATEST]7a220c662d4342b0941210d9752ade00","StackId":"arn:aws:cloudformation:us-east-1:969017758831:stack/amplify-tapapp-develop-195658-authTapApp-1VSLUWFWZA0B8/0d8818c0-8ec4-11ec-97a1-0a1b8104e20f","RequestId":"2cf3c680-65bf-45a1-9388-f7e9f4b31a9d","LogicalResourceId":"HostedUIProvidersCustomResourceInputs","NoEcho":false,"Data":{"err":{"message":"Provided private key cannot be used for Sign in with Apple.","code":"InvalidParameterException","time":"2022-12-11T02:11:46.286Z","requestId":"d15417b8-5b52-41d1-9f5f-d81127428f58","statusCode":400,"retryable":false,"retryDelay":20.170657897838073}}}
After passing the correct formated .p8 value (the entire thing as 1 line string) to the cli, the push succeeded.
I'm not sure this is the same issue to this original issue though. Also it'd be nice to display this nested error in cli too, it will be super helpful for self diagnosing.
Hey @YuantongL glad to hear you were able to resolve your issue, and yes I agree that this error should be surfaced faster during the CLI workflow. Please subscribe and react to this feature request to add input validation https://github.com/aws-amplify/amplify-cli/issues/8097
was able to consistently reproduce this issue using Amplify studio with the following steps
email
and add phone number
as login mechanismsocial signin with apple
-----BEGIN PRIVATE KEY-----
) and deployMarking this as a bug given the Studio reproduction. For what it's worth I am unable to reproduce using the same Phone number requirement and SIWA with the CLI
➜ ay update auth
Please note that certain attributes may not be overwritten if you choose to use defaults settings.
Using service: Cognito, provided by: awscloudformation
What do you want to do? Apply default configuration with Social Provider (Federat
ion)
What domain name prefix do you want to use? 115262f032cea-2f032cea
Enter your redirect signin URI: http://localhost:3000/
? Do you want to add another redirect signin URI No
Enter your redirect signout URI: http://localhost:3000/
? Do you want to add another redirect signout URI No
Select the identity providers you want to configure for your user pool: Sign in w
ith Apple
You've opted to allow users to authenticate via Sign in with Apple. If you haven'
t already, you'll need to go to https://developer.apple.com/account/#/welcome and
configure Sign in with Apple.
Enter your Services ID for your OAuth flow: fake
Enter your Team ID for your OAuth flow: fake
Enter your Key ID for your OAuth flow: fake
Enter your Private Key for your OAuth flow: <valid-private-key>
Note: further testing on CLI.
using add auth headless with -----BEGIN PRIVATE KEY-----
, -----END PRIVATE KEY-----
causes the hosted provider function to fail.
ran:
cat authadd.json | jq -c | amplify add auth --headless
with content
{
"version": 2,
"resourceName": "test",
"serviceConfiguration": {
"serviceName": "Cognito",
"includeIdentityPool": true,
"identityPoolConfiguration": {
"identityPoolName": "testAuthIdentityPool",
"unauthenticatedLogin": false
},
"userPoolConfiguration": {
"userPoolName": "test",
"signinMethod": "PHONE_NUMBER",
"requiredSignupAttributes": [],
"userPoolGroups": [],
"mfa": {
"mode": "OFF"
},
"passwordPolicy": {
"minimumLength": 8,
"additionalConstraints": [
"REQUIRE_LOWERCASE",
"REQUIRE_DIGIT",
"REQUIRE_SYMBOL",
"REQUIRE_UPPERCASE"
]
},
"autoVerifiedAttributes": [
{
"type": "EMAIL",
"verificationSubject": "Verification code: {####}",
"verificationMessage": "Verification code: {####}"
}
],
"oAuth": {
"domainPrefix": "domain",
"redirectSigninURIs": ["https://localhost:3000/"],
"redirectSignoutURIs": ["https://localhost:3000/"],
"oAuthGrantType": "CODE",
"oAuthScopes": [
"PHONE",
"EMAIL",
"OPENID",
"PROFILE",
"AWS.COGNITO.SIGNIN.USER.ADMIN"
],
"socialProviderConfigurations": [
{
"provider": "SIGN_IN_WITH_APPLE",
"clientId": "id",
"teamId": "id",
"keyId": "id",
"privateKey": "-----BEGIN PRIVATE KEY----- <Key> -----END PRIVATE KEY-----"
}
]
}
}
}
}
then amplify push
fails and cloudwatch logs shows internal server error
@ykethan can you confirm if the issue you are seeing is because of not including the -----BEGIN PRIVATE KEY-----
, -----END PRIVATE KEY-----
I found that internal service exception is happening because a required oauth authorized scope was missing from the request which is caused by leaving the requiredSignupAttributes as empty. It needs to have PHONE_NUMBER
included in it since that's the signup method for your user pool.
Hey @Amplifiyer, I have tested again and you are right, this issue is occurring only when requiredSignupAttributes / signupAttributes is empty.
But my current use cases contain multiple authentication methods like email/pass auth, OTP-based Phone number (Custom auth) and Social Sign in. So I can not make it email/phone-number as a required parameter during sign-up.
Do you know why this attribute dependency is for SIWA only and not for other social providers?
I am facing this issue as well
@josefaidt Still facing this issue in both Studio and CLI
@HappyMakadiyaS I was able to solve the deployment by making sure the attribute mapping under hostedUIProviderMeta in cli-inputs.json was correct for the apple provider:
"[{\"ProviderName\":\"SignInWithApple\",\"authorize_scopes\":\"email\",\"AttributeMapping\":{\"email\":\"email\"}}]",
@ekreloff THANK YOU SO MUCH ❤️
Note: Reproduction steps from https://github.com/aws-amplify/amplify-cli/issues/13549#issuecomment-1904694484
~/.amplify/bin/amplify init --yes
echo '{"version":2,"resourceName":"jan22","serviceConfiguration":{"serviceName":"Cognito","includeIdentityPool":true,"identityPoolConfiguration":{"identityPoolName":"testAuthIdentityPool","unauthenticatedLogin":false},"userPoolConfiguration":{"userPoolName":"jan22","signinMethod":"EMAIL","requiredSignupAttributes":[],"userPoolGroups":[],"mfa":{"mode":"OFF"},"passwordPolicy":{"minimumLength":8,"additionalConstraints":["REQUIRE_LOWERCASE","REQUIRE_DIGIT","REQUIRE_SYMBOL","REQUIRE_UPPERCASE"]},"autoVerifiedAttributes":[{"type":"EMAIL","verificationSubject":"Verification code: {####}","verificationMessage":"Verification code: {####}"}],"oAuth":{"domainPrefix":"gnardcpta3i9","redirectSigninURIs":["http://localhost:3000/"],"redirectSignoutURIs":["http://localhost:3000/"],"oAuthGrantType":"CODE","oAuthScopes":["PHONE","EMAIL","OPENID","PROFILE","AWS.COGNITO.SIGNIN.USER.ADMIN"],"socialProviderConfigurations":[{"provider":"SIGN_IN_WITH_APPLE","clientId":"***","teamId":"***","keyId":"***","privateKey":"***"}]}}}}' | ~/.amplify/bin/amplify add auth --headless
~/.amplify/bin/amplify push --yes
Before opening, please confirm:
How did you install the Amplify CLI?
curl
If applicable, what version of Node.js are you using?
v19.1.0
Amplify CLI Version
10.5.1
What operating system are you using?
Mac Ventura 13.0.1
Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.
No manual changes made
Amplify Categories
auth
Amplify Commands
push
Describe the bug
Updating auth via
amplify update auth
Followed the steps mentioned in the reproduction steps.Applying change to cloud via
amplify push
Facing Error over here:Cloud watch logs:
Expected behavior
I want to configure Sign in with Apple - OAuth social providers using amplify cli.
Reproduction steps
amplify update auth
Note: For the Private key I am entering key from .p8 file by removing
-----BEGIN PRIVATE KEY-----
,-----END PRIVATE KEY-----
, \n, space at the end of line and pasting main private key in single line. (As mentioned here)amplify push
Produced error mentioned aboveGraphQL schema(s)
Project Identifier
No response
Log output
Additional information
No response